- Notifications
You must be signed in to change notification settings - Fork14
Tests support and behavior of elliptic curve cryptography implementations on JavaCards (TYPE_EC_FP and TYPE_EC_F2M) and in selected software libraries.
License
crocs-muni/ECTester
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
ECTester is a tool for testing and analysis of elliptic curve cryptography implementations on JavaCards and incryptographic libraries. It consists of four separate parts:
- The ECTester applet, a JavaCard applet that provides the testing interface
- The ECTesterReader app, a reader app that works with the applet
- The ECTesterStandalone app, which tests software cryptographic libraries
- Jupyter notebooks for analysis and visualization of data from the apps
For more information on ECC support on JavaCards see theGitHub page, with results, tables and docs.
This project is developed by theCentre for Research On Cryptography and Security at Faculty of Informatics, Masaryk University.
- TESTS: Description of card test suites.
- CURVES: Description of curve and test data contained in ECTester.
- FORMAT: Description of input and output formats used by ECTester.
- LIBS: List of cryptographic libraries supported by ECTester and their characteristics.
- VULNS: List of vulnerabilities discovered using ECTester.
ECTester uses Gradle (and Gradle wrapper) for its build.There are three parts of ECTester, the JavaCard applet used for testing, the reader app which controls it and thestandalone app which tests software libraries. The target platform for ECTester is Linux, but things should work onWindows as well, although testing of standalone libraries will be limited to Java libraries and Microsoft CNG library.
The ECTester parts require different Java versions. Reader and standalone parts require Java >= 15 while the applet buildwill be able to target different JavaCard versions based on the Java version, seethis list.
To build ECTester simply do:
git submodule update --init --recursive# To initialize submodules (JavaCard SDKs, Microsoft CNG, BoringSSL, ...)./gradlew :applet:buildJavaCard# To build the applet (cap) -> "applet/build/javacard/applet[221,222,305].cap"../gradlew :reader:uberJar# To build the reader tool (jar) -> "reader/build/libs/ECTesterReader.jar"./gradlew :standalone:libs# To build the native library shims../gradlew :standalone:uberJar# To build the standalone tool (jar) -> "standalone/build/libs/ECTesterStandalone.jar"
The applet comes in several flavors, targeting JavaCard2.2.1,2.2.2 and3.0.5. The2.2.2 and later flavorssupport extended length APDUs which are necessary for some commands to work properly.
To build the standalone part, which involves numerous cryptographic libraries, one has two options.
- Install these cryptographic libraries system-wide and let the build use those.
- UseNix to build the tool part with given library versions.
See the section onsetup of standalone library testing for more details.
The JavaCard part of ECTester targets testing elliptic curve cryptography implementations in programmable smart cards of the JavaCard platform, version 2.2.1 and up. The reader app supports many actions, the main one beingtesting: the running of predetermined test suites that test the JavaCard for support, performance and vulnerabilities. The other actions focus on data collection,generating keys,signing data,performing key agreement orexporting the preset curves, output of the mentioned actions can then be analyzed using the Jupyter notebooks, seeanalysis.
- Upload
applet/build/applet/ectester[221,222,305].capusing your favorite tool (e.g.,GlobalPlatformPro tool). - Run
java -jar reader/build/libs/ECTesterReader.jar -tor other data collection commands. - Inspect output log with annotated results.
Following operations are tested in the default test suite, which is just a basic support test suite:
- Allocation of new KeyPair class for specified parameters
- Generation of KeyPair with default curve
- Setting of custom curve and KeyPair generation
- Generation of shared secret via ECDH
- Signature via ECDSA
Seejava -jar ECTesterReader.jar -h,java -jar ECTesterReader.jar -ls andTESTS for more.
Actions for the reader app, exactly one of which is required for every run.
-t / --test [test_suite]
Perform support, performance and vulnerability tests of ECC.
Currently supported test suites include:
defaulttest-vectorscompressionmiscellaneoussignaturewrong*invalid*twist*degenerate*composite*cofactor*edge-cases*
*NOTE: Thewrong,composite,invalid,twist,cofactor,edge-cases anddegenerate test suites caused temporary/permanent DoS of some cards. These test suites prompt you forconfirmation before running, be cautious.
To select which tests will be performed, it is possible to enter the test suite name with a suffixwhich specifies the number of the first test to be run, and optionally the number of the last test to be run as-t <test_suite>[:start_index[:stop_index]].
Use with-o / --output [out_type:]<out_file> to output the test results to a file.Use-n / --number to repeat tests multiple times (for example if you want more information on timings).Use-ts / --test-shuffle to shuffle the tests in the test suite.Use--cleanup to issue a JavaCard cleanup command after each group of tests (JCSystem.requestObjectDeletion()).
For possible formats of this file seeFORMAT.For more info about the test suites seeTESTS.
-e / --export
Exports the default curves (if any) that are preset on the card.Use with-o / --output [out_file] to output the curve parameters to a file.For format of this file seeFORMAT.
-g / --generate [amount]
Generates batch of EC keypairs and exports them.
Use with-o / --output [out_file] to output the generated keys to a file.Use with--time to measure time as a difference of real duration of the operation and the dry-run duration of the operation.Use--time-unit [milli, micro, nano] to specify the time unit of the output.For format of this file seeFORMAT.
-dh / --ecdh [count]
Performs ECDH.
Use with-o / --output [out_file] to output into a file.Use with--time to measure time as a difference of real duration of the operation and the dry-run duration of the operation.Use--time-unit [milli, micro, nano] to specify the time unit of the output.For format of this file seeFORMAT.Respects the KeyAgreement type specified in-ka / --ka-type [type].
-dsa / --ecdsa [count]
Performs ECDSA.Useful with-i / --input [in_file] to sign the contents of a file.Use with-o / --output [out_file] to output into a file.Use with--time to measure time as a difference of real duration of the operation and the dry-run duration of the operation.Use--time-unit [milli, micro, nano] to specify the time unit of the output.For format of these files seeFORMAT.Respects the Signature type specified in-sig / --sig-type [type].
-ln / --list-named [category/name]
Lists categories of curves, keys and keypairs embedded in ECTester's jar, along with some information about them.These can be used as arguments to the-n[c|k|pub|priv] / --named-[curve|key|public|private] parameters, using the format:category/name.
For example:secg/secp192r1 identifies the SECG 192 bit prime field curve known assecp192r1.
For more info about the curves and curve categories seeCURVES.
-ls / --list-suites
Lists the implemented test suites and gives their short description.
-nf / --info
Get and print ECTester applet info from an applet installed on a card.
Outputs:
- Card ATR
- Negotiated protocol (T=0/T=1)
- ECTester applet version
- ECTester APDU support (basic/extended APDU)
- JavaCard API version
- JavaCard cleanup support
- ECTester internal array sizes and APDU buffer size
Snippet below shows running the default test suite while simulating(-s), so using JCardSim.This shows that JCardsim simulates 112b Fp support with default curve present and supports ECDH, ECDHC and ECDSA.
> java -jar ECTesterReader.jar -t -s═══ Running test suite: default ══════ The default test suite tests basic support of ECDH and ECDSA.═══ Date: 2018.05.02 20:29:38═══ ECTester version: v0.3.0═══ Card ATR: 3bfa1800008131fe454a434f5033315632333298■━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┓ OK ╋ (0) Get applet info: v0.3.0; 3.0; basic ┃ SUCCESS ┃ All sub-tests had the expected result. ┗ OK ━ Get applet info ┃ SUCCESS ┃ 0 ms ┃ OK (0x9000)■━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┓ OK ╋ (1) Tests of 112b ALG_EC_FP support. ┃ SUCCESS ┃ All sub-tests matched the expected mask. ┣ OK ━ Allocate both keypairs 112b ALG_EC_FP ┃ SUCCESS ┃ 166 ms ┃ OK (0x9000) OK (0x9000) ┣ OK ━ Generate both keypairs ┃ SUCCESS ┃ 19 ms ┃ OK (0x9000) OK (0x9000) ┣ OK ━ Allocate both keypairs 112b ALG_EC_FP ┃ SUCCESS ┃ 0 ms ┃ OK (0x9000) OK (0x9000) ┣ OK ━ Set custom curve parameters on both keypairs ┃ SUCCESS ┃ 0 ms ┃ OK (0x9000) OK (0x9000) ┣ OK ━ Generate both keypairs ┃ SUCCESS ┃ 5 ms ┃ OK (0x9000) OK (0x9000) ┣ OK ┳ KeyAgreement tests. ┃ SUCCESS ┃ Some sub-tests did have the expected result. ┃ ┣ OK ┳ Test of the ALG_EC_SVDP_DH KeyAgreement. ┃ SUCCESS ┃ Some ECDH is supported. ┃ ┃ ┣ OK ━ Allocate KeyAgreement(ALG_EC_SVDP_DH) object ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┃ ┃ ┣ OK ━ ALG_EC_SVDP_DH of local pubkey and remote privkey ┃ SUCCESS ┃ 2 ms ┃ OK (0x9000) ┃ ┃ ┣ OK ━ ALG_EC_SVDP_DH of local pubkey and remote privkey(COMPRESSED point) ┃ SUCCESS ┃ 3 ms ┃ OK (0x9000) ┃ ┃ ┗ OK ━ Mean = 1879950 ns, Median = 1835076 ns, Mode = 1763287 ns ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┃ ┣ OK ┳ Test of the ALG_EC_SVDP_DHC KeyAgreement. ┃ SUCCESS ┃ Some ECDH is supported. ┃ ┃ ┣ OK ━ Allocate KeyAgreement(ALG_EC_SVDP_DHC) object ┃ SUCCESS ┃ 0 ms ┃ OK (0x9000) ┃ ┃ ┣ OK ━ ALG_EC_SVDP_DHC of local pubkey and remote privkey ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┃ ┃ ┣ OK ━ ALG_EC_SVDP_DHC of local pubkey and remote privkey(COMPRESSED point) ┃ SUCCESS ┃ 2 ms ┃ OK (0x9000) ┃ ┃ ┗ OK ━ Mean = 1748499 ns, Median = 1760792 ns, Mode = 1647372 ns ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┃ ┣ NOK ━ Allocate KeyAgreement(ALG_EC_SVDP_DH_PLAIN) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┃ ┣ NOK ━ Allocate KeyAgreement(ALG_EC_SVDP_DHC_PLAIN) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┃ ┣ NOK ━ Allocate KeyAgreement(ALG_EC_PACE_GM) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┃ ┗ NOK ━ Allocate KeyAgreement(ALG_EC_SVDP_DH_PLAIN_XY) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┗ OK ┳ Signature tests. ┃ SUCCESS ┃ Some sub-tests did have the expected result. ┣ OK ┳ Test of the ALG_ECDSA_SHA signature. ┃ SUCCESS ┃ All sub-tests had the expected result. ┃ ┣ OK ━ Allocate Signature(ALG_ECDSA_SHA) object ┃ SUCCESS ┃ 2 ms ┃ OK (0x9000) ┃ ┣ OK ━ ALG_ECDSA_SHA with local keypair(random data) ┃ SUCCESS ┃ 17 ms ┃ OK (0x9000) ┃ ┣ OK ━ Sign (Mean = 1451086 ns, Median = 1413292 ns, Mode = 1378296 ns) ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┃ ┗ OK ━ Verify (Mean = 1850022 ns, Median = 1837022 ns, Mode = 1744613 ns) ┃ SUCCESS ┃ 1 ms ┃ OK (0x9000) ┣ NOK ━ Allocate Signature(ALG_ECDSA_SHA_224) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┣ NOK ━ Allocate Signature(ALG_ECDSA_SHA_256) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┣ NOK ━ Allocate Signature(ALG_ECDSA_SHA_384) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003) ┗ NOK ━ Allocate Signature(ALG_ECDSA_SHA_512) object ┃ FAILURE ┃ 0 ms ┃ fail (NO_SUCH_ALG, 0x0003)- Some general information about the test suite and card is output first, test data follows after.
- TheOK/NOK values on the left represent the complete evaluated result of a test, as a test can be expectedto succeed or fail, this is different than the values on the right:
- SUCCESS: IsOK, the test was expected to pass and it did.
- FAILURE: IsNOK, the test was expected to pass, but it did not.
- UXSUCCESS: IsNOK, the test was expected to fail, but it did not.
- XFAILURE: IsOK, the test was expected to fail, and it did.
- ERROR: IsNOK an unexpected error during testing arose.
- The tests can be compounded into compound tests, which are visible as a tree of tests and sub-tests.
- The duration of non-compound tests is shown in the third column, this is a rough estimate, measured from before the APDU is sent, to just after the response is received.
- The cause of the test result, is shown in the last column, for non-compound tests, these are JavaCard(or custom) status words, from operations done on the card.
If you are interested in testing support for other JavaCard algorithms, please visit JCAlgTester project:https://github.com/crocs-muni/JCAlgTest
Snippet below shows collection of 1000 of ECDSA signatures (--ecdsa) over a prime field (-fp) 160 bit (-b) curve, which will be thesecp160r1 curve, because of the-u switch, which selects one of the SECG curves for the bit-length. The applet signes randomly generated but static data using a fixed key (--fixed). Timing data is collected and output in nanoseconds (--time-unit) and output intoout.csv.
> java -jar ECTesterReader.jar --ecdsa 1000 -fp -b 160 -u --fixed --time-unit nano -o out.csvAllocate Signature(ALG_ECDSA_SHA) object ┃ 10 ms ┃ OK (0x9000)Allocate local keypair 160b ALG_EC_FP ┃ 57 ms ┃ OK (0x9000)Set secp160r1 curve parameters on local keypair ┃ 0 ms ┃ OK (0x9000)Generate local keypair ┃ 49 ms ┃ OK (0x9000)Export keypair params from both keys of local keypair ┃ 0 ms ┃ OK (0x9000)ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 31 ms ┃ OK (0x9000)ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 40 ms ┃ OK (0x9000)ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 12 ms ┃ OK (0x9000)ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 19 ms ┃ OK (0x9000)ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 14 ms ┃ OK (0x9000)ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 19 ms ┃ OK (0x9000)ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 14 ms ┃ OK (0x9000)...The output of the above command,out.csv looks something like this:
index;signTime[nano];verifyTime[nano];data;pubW;privS;signature[SHA1];nonce;valid0;26255357;28391390;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302c02144be3feb924778b4ef4dff059935a53ca38b5016c02144161ca9cce5afbe2d06fd37379200eec0ad9c9d3;00c79485ede7e464b8c37312008fc54fea69d75463;11;14306042;20846855;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302d021500a3684c699aded3af7b6e9c2d5bd033974443588c02143ee89959bb25c524da19b90f852e0dfcdb4ed6f6;00d9e1ad90d83dd3fc23b91061de6abf094e23e15a;12;16327883;18140346;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302d0214429d54da93314437c5e1dd8a5244050f6b810dd3021500b989c5f990e702f319fb862d74172f5cc704e968;6206c53cabfc51fdcce5b5c551f091ddc5064dc2;13;19589990;37379094;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302c02142017caabf802f18c5ac26d7b9c4679d34fcbd335021442a6dd6d63e136a27cda25e0e6197db4a30a9609;00ecdd91d35735d084dfb912d4aeca7e3f68cf2cd5;14;15369903;22086733;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302e021500c82cb5d17aa2c1e13659c3ee0be8896f8e416731021500a1bdbfb48c46490c82af88f590c79d5770916c79;0094f752027314501b3586295c660576c184d9c9ee;1This output can be then analysed using Jupyter notebooks in theutil directory, seeanalysis for more.
Snippet below shows output of the info command:
> java -jar ECTesterReader.jar -nfCard ATR: 3bdb960080b1fe451f830031c064c308010001900095Card protocol: T=1ECTester applet version: v0.3.3ECTester applet APDU support: extended lengthJavaCard API version: 2.2JavaCard supports system cleanup: trueArray sizes (apduBuf,ram,ram2,apduArr):635 256 256 512The standalone part of ECTester targets testing elliptic curve cryptography implementations in Java and native cryptographic libraries.
Currently supported libraries include:
- BouncyCastle (Java)
- Sun EC (Java)
- OpenSSL
- BoringSSL
- wolfSSL
- Crypto++
- libtomcrypt
- libgcrypt
- Botan
- Microsoft CNG
- Intel Performance Primitives Crypto
- MbedTLS
- Nettle
- LibreSSL
For more information on ECC libraries seeLIBS.
ECTester interfaces with native libraries by using custom shim libraries that expose the functionality via theJava Native Interface, these can be found in thestandalone/src/main/java/cz/crcs/ectester/standalone/libs/jni directory along with a Makefile(Makefile.bat for Windows). The shim library will depend on the native library, and have a name likeboringssl_provider.so,botan_provider.so,cryptopp_provider.so andopenssl_provider.so.The Makefile has a target for every library that it supports that builds its shim, see thehelptarget for more info.
However, building these shims and in general the target libraries can be tricky to do so reliably acrosssystems and setups. Thus ECTester offers two ways of doing so.
- The first way is to install the libraries system-wide and rely on pkg-config to find proper configurationfor the shims and link them dynamically.
- The second way is to useNix to build the given versions of the libraries and shims andlink them statically.
InstallNix, then to build:
# To build a library in a given version run (example OpenSSL 3.3.1):nix build"#lib.openssl.v331"# To build a shim using a given version of a library (example mbedTLS 3.5):nix build"#shim.mbedtls.v35"# To build ECTesterStandalone.jar with a given version of a library (example libgcrypt 1.9.4):nix build"?submodules=1#gcrypt.v194"# The available versions of the libraries are in the nix/*_pkg_versions.json files.# The "default" version always points to the most recent version.# To build ECTesterStandalone with all the libraries in default versions:nix build"?submodules=1#"
Each of the build steps above puts (symlinks really) its results into./result directory.However, subsequent builds then replace that with their own results. To run ECTesterStandalonewith a given library version and arguments do:
# This runs the default test-suite agains LibreSSL 3.9.2nix run"?submodules=1#libressl.v392" ---test default LibreSSL
./gradlew :standalone:libs# To build the native library shims../gradlew :standalone:uberJar# To build the standalone tool (jar) -> "standalone/build/libs/ECTesterStandalone.jar"
Simply doing the above should build everything necessary to test libraries via the standalone app,(except the BoringSSL, LibreSSL, ipp-crypto, mbedTLS, and wolfCrypt libraries)the sections below describe the details of how that works and what needs to be done if it doesn't.
To see whether your build was successful, run:java -jar standalone/build/libs/ECTesterStandalone.jar list-libs and observe if your target libraries are included inthe output. If they are not, and they are native libraries, it means that either the shim library was not builtsuccessfully or that the actual native library couldn't be found and loaded on runtime. To solve the former, look forbuild errors during the ant run in thelibs-try step, for the latter, if the library is in an non-standard locationspecifyingLD_LIBRARY_PATH will help load it. Consulting the next sections should help solve both.
The:standalone:libs task invokes the Makefile, which tries to build theC/C++ shim libraries required for ECTester to test the actual native cryptographic libraries from Java.The Makefile uses pkg-config to locate the libraries installed, thus if non-standard location of the tested libraries isused, the Makefile or your pkg-config needs some changes to work.
There are two important environmental variables that should be set in your environment. First, you should setJAVA_HOME which should point to your JDK. The tooling usesJAVA_HOME to locate native Java library headers,likejni.h. Second, ECTester uses pkg-config to locate the native libraries, if your pkg-config files are in anunusual place the pkg-config command would not find them by default, you should setPKG_CONFIG_PATH to the directorycontaining the*.pc files. If pkg-config files are unavailable for the library you are trying to test, you will needto change the Makefile manually to apply the correct options to the commands (CFLAGS, include options, linker options...).
Below you can see how a full build with all the libraries currently supported on Linux looks
> cd standalone/src/main/resources/cz/crcs/ectester/standalone/libs/jni> make -f Makefile.extcc -DLTM_DESC -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c tomcrypt.ccc -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c c_utils.ccc -o lib_timing.so -shared -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -Wl,-soname,lib_timing.so c_timing.ccc -fPIC -shared -O2 -o tomcrypt_provider.so -Wl,-rpath,'$ORIGIN/lib' tomcrypt.o c_utils.o -L. -ltommath -ltomcrypt -l:lib_timing.sog++ -I/usr/include/botan-2 -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c botan.cppg++ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c cpp_utils.cppg++ -fPIC -shared -O2 -o botan_provider.so -Wl,-rpath,'$ORIGIN/lib' botan.o cpp_utils.o -L. -lbotan-2 -fstack-protector -m64 -pthread -l:lib_timing.sog++ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c cryptopp.cppg++ -fPIC -shared -O2 -o cryptopp_provider.so -Wl,-rpath,'$ORIGIN/lib' cryptopp.o cpp_utils.o -L. -lcryptopp -l:lib_timing.socc -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c openssl.ccc -fPIC -shared -O2 -o openssl_provider.so -Wl,-rpath,'$ORIGIN/lib' openssl.o c_utils.o -L. -lssl -lcrypto -l:lib_timing.socc -I../../../../../../../../../../boringssl/include/ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c boringssl.ccp ../../../../../../../../../../boringssl/build/crypto/libcrypto.so lib_boringssl.socc -fPIC -shared -O2 -o boringssl_provider.so -Wl,-rpath,'$ORIGIN/lib' boringssl.o c_utils.o -L. lib_boringssl.so -l:lib_timing.socc -I/usr/local/include -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c gcrypt.ccc -fPIC -shared -O2 -o gcrypt_provider.so -Wl,-rpath,'$ORIGIN/lib' gcrypt.o c_utils.o -L. -L/usr/local/lib -lgcrypt -lgpg-error -l:lib_timing.socc -I../../../../../../../../../../ext/mbedtls/include/ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c mbedtls.ccp ../../../../../../../../../../ext/mbedtls/build/library/libmbedcrypto.so lib_mbedtls.socc -fPIC -shared -O2 -o mbedtls_provider.so -Wl,-rpath,'$ORIGIN/lib' mbedtls.o c_utils.o -L. lib_mbedtls.so -l:lib_timing.socc -I../../../../../../../../../../ipp-crypto/build/.build/RELEASE/include/ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c ippcp.ccp ../../../../../../../../../../ipp-crypto/build/.build/RELEASE/lib/libippcp.so lib_ippcp.socc -fPIC -shared -O2 -o ippcp_provider.so -Wl,-rpath,'$ORIGIN/lib' ippcp.o c_utils.o -L. lib_ippcp.so -l:lib_timing.socc -lhogweed -lgmp -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c nettle.ccc -fPIC -shared -O2 -o nettle_provider.so -Wl,-rpath,'$ORIGIN/lib' nettle.o c_utils.o -L. -lnettle -l:lib_timing.so -lhogweed -lgmpcc -I../../../../../../../../../../ext/libressl/include/ -fPIC -I"/usr/lib/jvm/java-21-openjdk/include" -I"/usr/lib/jvm/java-21-openjdk/include/linux" -I. -Wno-deprecated-declarations -O2 -c libressl.ccp ../../../../../../../../../../ext/libressl/build/crypto/libcrypto.so lib_libressl.socc -fPIC -shared -O2 -o libressl_provider.so -Wl,-rpath,'$ORIGIN/lib' libressl.o c_utils.o -L. lib_libressl.so -l:lib_timing.soBoringSSL, LibreSSL, ipp-crypto, mbedTLS and partially wolfCrypt are included as git submodules.Make sure you run:git submodule update --init --recursiveafter checking out the ECTester repository to initialize them.
To build BoringSSL do:
cd ext/boringsslcmake -GNinja -Bbuild -DBUILD_SHARED_LIBS=1cd buildninja
To build LibreSSL do:
cd ext/libressl./autogen.shcmake -GNinja -Bbuild -DBUILD_SHARED_LIBS=1cd buildninja
To build ipp-crypto do:(Make sure you have the necessarybuild requirements)
cd ext/ipp-cryptoCC=clang CXX=clang++ cmake CMakeLists.txt -GNinja -Bbuild -DARCH=intel64# Does not work with GCC 12+cd buildninja
To build mbedTLS do:
cd ext/mbedtlspython -m venv virt. virt/bin/activatepip install -r scripts/basic.requirements.txtcmake -GNinja -Bbuild -DUSE_SHARED_MBEDTLS_LIBRARY=Oncd buildninja
To build wolfCrypt-JNI do:(You need to have wolfSSL installed and ready for development)
cd ext/wolfcrypt-jnimkdir junitwget -P junit/ https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar wget -P junit/ https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jarmake -f makefile.linuxenv JUNIT_HOME=junit/ ant build-jce-releaseThe producedlib/wolfcrypt-jni.jar will be automatically included into the standalone JAR when buildingstandalone:uberJar.However, the producedlib/libwolfcryptjni.so native library will not be automatically loaded. You thus need to include itonLD_LIBRARY_PATH.
Consult the GitHub CIbuild script for an example that runs on Ubuntu 22.04.
Snippet below shows how thelist-libs command for well, listing currently supported libraries, behaves if all supported libraries are present (on Linux).
> java -jar ECTesterStandalone.jar list-libs- SunEC- Fullname: SunEC- Version: 21- Supports native timing: []- Supports deterministic PRNG: true- KeyPairGenerators: EC, Ed25519, Ed448, EdDSA, X25519, X448, XDH- KeyAgreements: ECDH, X25519, X448, XDH- Signatures: ECDSA, Ed25519, Ed448, EdDSA, NONEwithECDSA, SHA224withECDSA, SHA256withECDSA, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA384withECDSA, SHA512withECDSA- Curves: secp256r1, secp384r1, secp521r1- BouncyCastle- Fullname: BC- Version: 1.77- Supports native timing: []- Supports deterministic PRNG: true- KeyPairGenerators: EC, ECDH, ECDHC, ECDSA, ECMQV, Ed25519, Ed448, EdDSA, X25519, X448, XDH- KeyAgreements: ECCDHwithSHA1KDF, ECCDHwithSHA224KDF, ECCDHwithSHA256KDF, ECCDHwithSHA384KDF, ECCDHwithSHA512KDF, ECDH, ECDHC, ECDHwithSHA1KDF, ECDHwithSHA224KDF, ECDHwithSHA256KDF, ECDHwithSHA384KDF, ECDHwithSHA512KDF, X25519, X448, XDH- Signatures: ECDDSA, ECDSA, ECGOST3410, ECGOST3410-2012-256, ECGOST3410-2012-512, Ed25519, Ed448, EdDSA, GOST3411-2012-256withECGOST3410-2012-256, GOST3411-2012-512withECGOST3410-2012-512, GOST3411withECGOST3410, NONEwithECDSA, RIPEMD160withECDSA, RIPEMD160withPLAIN-ECDSA, SHA1withCVC-ECDSA, SHA1withECNR, SHA1withPLAIN-ECDSA, SHA224withCVC-ECDSA, SHA224withECDDSA, SHA224withECDSA, SHA224withECNR, SHA224withPLAIN-ECDSA, SHA256withCVC-ECDSA, SHA256withECDDSA, SHA256withECDSA, SHA256withECNR, SHA256withPLAIN-ECDSA, SHA3-224withECDDSA, SHA3-224withECDSA, SHA3-256withECDDSA, SHA3-256withECDSA, SHA3-384withECDDSA, SHA3-384withECDSA, SHA3-512withECDDSA, SHA3-512withECDSA, SHA384withCVC-ECDSA, SHA384withECDDSA, SHA384withECDSA, SHA384withPLAIN-ECDSA, SHA512withCVC-ECDSA, SHA512withECDDSA, SHA512withECDSA, SHA512withECNR, SHA512withPLAIN-ECDSA, SM3withSM2- Curves: B-163, B-233, B-283, B-409, B-571, FRP256v1, GostR3410-2001-CryptoPro-A, GostR3410-2001-CryptoPro-B, GostR3410-2001-CryptoPro-C, GostR3410-2001-CryptoPro-XchA, GostR3410-2001-CryptoPro-XchB, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521, Tc26-Gost-3410-12-256-paramSetA, Tc26-Gost-3410-12-512-paramSetA, Tc26-Gost-3410-12-512-paramSetB, Tc26-Gost-3410-12-512-paramSetC, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, sm2p256v1, wapi192v1, wapip192v1- tomcrypt- Fullname: libtomcrypt 1.18.2- Version: 1.18- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: ECC-192, ECC-224, ECC-256, ECC-384, ECC-521, SECP112R1, SECP128R1, SECP160R1- Botan- Fullname: Botan 2.19.5- Version: 2.193- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: ECDH, ECDSA, ECGDSA, ECKCDSA- KeyAgreements: ECDH, ECDHwithSHA1KDF, ECDHwithSHA224KDF, ECDHwithSHA256KDF, ECDHwithSHA384KDF, ECDHwithSHA512KDF- Signatures: ECDSA, ECGDSA, ECKCDSA, NONEwithECDSA, NONEwithECGDSA, NONEwithECKCDSA, SHA224withECDSA, SHA224withECGDSA, SHA224withECKCDSA, SHA256withECDSA, SHA256withECKCDSA, SHA384withECDSA, SHA384withECGDSA, SHA384withECKCDSA, SHA512withECDSA, SHA512withECGDSA, SHA512withECKCDSA- Curves: brainpool160r1, brainpool192r1, brainpool224r1, brainpool256r1, brainpool320r1, brainpool384r1, brainpool512r1, frp256v1, gost_256A, gost_512A, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sm2p256v1, x962_p192v2, x962_p192v3, x962_p239v1, x962_p239v2, x962_p239v3- Crypto++- Fullname: Crypto++- Version: 8.0- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: ECDH, ECDSA- KeyAgreements: ECDH- Signatures: ECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA- Curves: 1.2.156.10197.1.301, 1.2.156.10197.1.301.3.1, 1.2.840.10045.3.1.1, 1.2.840.10045.3.1.7, 1.3.132.0.1, 1.3.132.0.10, 1.3.132.0.15, 1.3.132.0.16, 1.3.132.0.17, 1.3.132.0.2, 1.3.132.0.22, 1.3.132.0.23, 1.3.132.0.24, 1.3.132.0.25, 1.3.132.0.26, 1.3.132.0.27, 1.3.132.0.28, 1.3.132.0.29, 1.3.132.0.3, 1.3.132.0.30, 1.3.132.0.31, 1.3.132.0.32, 1.3.132.0.33, 1.3.132.0.34, 1.3.132.0.35, 1.3.132.0.36, 1.3.132.0.37, 1.3.132.0.38, 1.3.132.0.39, 1.3.132.0.4, 1.3.132.0.5, 1.3.132.0.6, 1.3.132.0.7, 1.3.132.0.8, 1.3.132.0.9, 1.3.36.3.3.2.8.1.1.1, 1.3.36.3.3.2.8.1.1.11, 1.3.36.3.3.2.8.1.1.13, 1.3.36.3.3.2.8.1.1.3, 1.3.36.3.3.2.8.1.1.5, 1.3.36.3.3.2.8.1.1.7, 1.3.36.3.3.2.8.1.1.9- OpenSSL- Fullname: OpenSSL 3.2.1 30 Jan 2024- Version: 3.2- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: Oakley-EC2N-3, Oakley-EC2N-4, SM2, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, wap-wsg-idm-ecid-wtls1, wap-wsg-idm-ecid-wtls10, wap-wsg-idm-ecid-wtls11, wap-wsg-idm-ecid-wtls12, wap-wsg-idm-ecid-wtls3, wap-wsg-idm-ecid-wtls4, wap-wsg-idm-ecid-wtls5, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8, wap-wsg-idm-ecid-wtls9- BoringSSL- Fullname: OpenSSL 1.1.1 (compatible; BoringSSL)- Version: 1.11- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: false- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: prime256v1, secp224r1, secp384r1, secp521r1- libgcrypt- Fullname: libgcrypt 1.11.0-unknown- Version: 1.11- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: false- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: ECDDSA, ECDSA, NONEwithECDSA, SHA224withECDDSA, SHA224withECDSA, SHA256withECDDSA, SHA256withECDSA, SHA384withECDDSA, SHA384withECDSA, SHA512withECDDSA, SHA512withECDSA- Curves: Curve25519, Ed25519, Ed448, GOST2001-CryptoPro-A, GOST2001-CryptoPro-B, GOST2001-CryptoPro-C, GOST2001-test, GOST2012-256-A, GOST2012-512-tc26-A, GOST2012-512-tc26-B, GOST2012-512-tc26-C, GOST2012-512-test, NIST P-192, NIST P-224, NIST P-256, NIST P-384, NIST P-521, X448, brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, secp256k1, sm2p256v1- mbedTLS- Fullname: Mbed TLS 3.5.2- Version: 3.52- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, x25519, x448- IPPCP- Fullname: ippCP AVX2 (l9)- Version: 2021.7- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: secp112r1, secp112r2, secp128r1, secp128r2, secp160r1, secp160r2, secp192r1, secp224r1, secp256r1, secp384r1, secp521r1- Nettle- Fullname: Nettle- Version: 3.9- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: true- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: secp192r1, secp224r1, secp256r1, secp384r1, secp521r1- LibreSSL- Fullname: LibreSSL 3.9.0- Version: 3.9- Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc]- Supports deterministic PRNG: false- KeyPairGenerators: EC- KeyAgreements: ECDH- Signatures: NONEwithECDSA- Curves: FRP256v1, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, wap-wsg-idm-ecid-wtls12, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8, wap-wsg-idm-ecid-wtls9Snippet below demonstrates generation of 1000 (-n) keys on the named curvesecp256r1 (-nc) using the BouncyCastle library.
> java -jar ECTesterStandalone.jar generate -n 1000 -nc secg/secp256r1 Bouncyindex;time[nano];pubW;privS0;18459241;04886c2d253490d6a80906628aea65dc6763fe53690241d54de1f479f44d120e6349528644b3736eda0a8a0326563c3a846a415e1ff029a22404718c91770349d4;532e9b01e439df0ae63f7ed0a9c5f57f91175fd21d80a1d048c93fda7b7045221;1672835;049de329ce6d7d031a693143890ea7a277c0cb400b534b3a075614a1ec7d0b1e1680bd6791bb5027007ea286aa86a3af451e6772440be0adb3b19d249a47f8581e;00d69151b165880f93d18b4870b613e012ff00883192cd405d1fccd23e9001f9cc2;1433582;04cdf57599adb2096259ce55cc7bb8f4278ea50e8eb40eece42b73f532ac92da1702da16dcfbc378170828dfab29e202aefcce98573d94b37a911ab6d69f4de690;7fb22f96166c90436caa3be55023750333c9b4101761dd5e5257d0909a3774353;1388344;043f031b1efe0946c4cb4bf154c1ebefd63c3759aff2b021ae3338c99572fee66eb93dbd2f54907c55005df47618365f2f25238e8956cf27a132bc22ee1a014b5a;17c5e6164fced4ea35def7b6889797e10ac1c122044d139b56fd77bd6db973bd4;1190134;043495f79ae0d6ef885ea4229da46b07aedd10bf7646f91fc7ccdce1f24839e7323e101cdd4acd90e8deb023faf324c1d8cb37421df38f268d28bc83a39297ee0b;6effde3b884f22ecd6e8dbe01e90c80587be9fa7fe39a0293e34c9254efb12105;858219;0472197b8c6622a1715e7a3cbb4e2fcdb58448880b35f65295c68992a2646904619d85f87896aeefdd1704d04a9f0956f5bd4c6147f01b1fdc0dbd1d82d9554c4a;73c2d2f87f83d8f568d4173b98eab8e9ded2e17a9561cd194adcbb3d139242d06;873804;04829646ac5dbf5324c217a0d24239e33bfd4680634ae70fc27a9884f38b4eac04416c5127eec915993fc4d89076e7540bc973644c0ba2b5a509386734693daf9b;7dd1eccbe8919fe3dd7612fb22fa5fd060f6cb40e0abdc0f9f977e1f949f9ca6...Snippet below demonstrates performing 10 ECDSA signatures, without hashing the message (-t NONEwithECDSA) on thesecp256r1 curve, with a fixed keypair throught the process (--fixed), utilizing the rdtsc instruction to measure duration (--time-source) and using the MatrixSSL library.
> java -jar ECTesterStandalone.jar ecdsa -n 10 -t NONEwithECDSA -nc secg/secp256r1 --fixed --time-source rdtsc OpenSSLindex;signTime[instr];verifyTime[instr];data;pubW;privS;signature[NONE];nonce;verified0;6785333;18200703;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3045022070ca3dfe2017892d23a2301b2465ab387af7999c79de7dae53ec04d1600a25800221009fc9a6fe20c7930b9d8be40424ab4b08fa641f339efa81e6ccf5497cd71180f0;57ebf83913734ff0a78fa952da12996c48da17fbcf5967e74eb3e2c6b5e726b1;11;8582180;16170010;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3045022100efd3efc1bb2ed243eec9bea4bc331966e869c02df1fc8686a7649708c106595a022050e9a2548bac56bb3287f27c1761136947eefaa8a92f31978ed9485a03cb8f3d;0f5d3cc25d3eb69177b7917631f5639a088773873e91c1adb0a2b753987cace8;12;14906610;28661375;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3044022012ff4f949d1957c160ffdf5e53e6d3925c464954a79df2a613360e9513f647f5022001c337de39c78d16db21ee061a7f85cdd52a249570b59ef3f6c43f94a494a3a7;01525f491f4173281eb2f23877d816aa20f77f25ef87c9241dc130c2b862f923;13;14364756;17223863;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3046022100ddad3254d04df6914b886275b1d01939ea64481fba8bea2c4b3eac611ef3ce4a022100ca7702d7d1bea15bf7c8e77da9421e053e6b2235e3390fdcc0b60a69dc5cbc16;00810fe33ddc3dcee687f6310394c2f326d6024103e0b5dca97ddd157bb9d82721;14;8211882;14507032;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3046022100ae041e36e82c8f5d96f93beabb7bdfd070f88426b2b19ce53dea42f19a493500022100b20e409621effb91c92f79e3a125c02c16bdea3bbc6b690c47af8d87ff9994cf;54396537f7426576a6a0ba71bef63c5a1400b6baec9684807180696cb619ae5a;1...Snippet below demonstrates performing 10000 ECDH key agreements, using the curve namesecp256r1 (-cn, the difference between the-cn option and the-nc option is that the latter looks up the curve in ECTester's database and passes the parameters to the library explicitly, while the former passes the name to the library) using the MbedTLS library.
> java -jar ECTesterStandalone.jar ecdh -n 10000 -cn secp256r1 mbedTLSindex;time[nano];pubW;privS;secret[NONE]0;5952101;04367ef86b5fbf1b4716bf7822342ebb19a9b6bcfbdb4f4950bf090ba2d1263579dac3e8447c21202432c76f89a0b48a1c16970e4fde67853c8d389da3f02fcdfc;00ecc7b46513149ab19fbeb1c49c1706712dc7da3899add30eb935e18fe5851d79;a94524fa98e0e5b3e139afdb89b73b843e48d5491b19585a5dcae02f20f130881;6099022;0439803db68efddbfc3fba1feae41118b02e35d009670fbb4c5dfe6a56fe20829b42e101d0c55bf905276ac71af7e215714cf41742c1f8a2d102761b9eb307d209;6f43118f50ddfef724288ad4f116354bec4735370cb221547b76b18832daaea9;d1b90ed000ca9542ac2101383397a7180cdcd6896b1ccfb5b719da734ad96bf12;6479870;0479a06bef6ad14e54f043c04a1747e9c4199a648651066274fef6a1e291ef01364968fe087c6d2bdbfc99118e3fa3c122362a9e84bd4e2d955fa1234d4d7b5fcf;3e3e7fb34c248c059a90cff03126fbb8bf72e27608c2a1aa6351ec393c560bb3;a455a16a834c73823ab44dd6124a50640b4bb5256beddb9cd6f4b1e98377e4b53;6071236;04e57a603e491c9139a61b56dce7cbef3f3c7bdae375a6ee7e99631c5d9318e4e88a5edbe7290f73e5d925b10ce5c6b20dcd00fb7bb24aa4b2a3305ac444838906;3b1464a35c007ed437265ad292ff56a67666456eff7de97ff3a87594b3827c9e;2daa2d01d04b677df66ca4293aa14d492239cb066b1a87915d92915c723ffb3b4;6545463;04031c6fd3510a3381a0c8b3479a482b38bc5820a48c7bae4a2460805daf90d064441990bd1651a646c38d416ad8d4be39d4a4d58a19ed4532142148f80127412c;5dc92b7b09b91a2249d94b42083e7ad77a30b86a88d03db262d562477b3a7fc7;5520240090f83e506d915e43133fa0fe48338b29ee42279406ad63a7c10e57a15;7244349;0461f7ece97faeb52c367a550eb275b103b60f3beb8f07021f4e8c3991a95a454baca85b893fda2600ec56130de1117f0fbcc55bd9045abd1b26e7fc74cc701069;704f250ad24b94a1cdf3543954e9c5bfeb865a742c603a15cb7d7238807f113b;c74fca9cf311ea456ac0a0e8888f26de32716977f9ead6c15e0e3b066d7faa4c6;6318854;042e99f9808b2b4c4fbf23a6d00a619e7f9d12035ab4c0a731d6eb8396e5caec5842ad551081fe2270eb8036dec88234d15b0f8a261cbc53eb9bc6c5d61704d1ec;4d3d375f5d6b27e1a6de8a154915fa7eec3871eac55da1e2a501e73f31a26c3c;407db9be0a58bc3c159fbb6b960dd9cd5bc90ebf79724660bb3e6d350ff07ed07;6730228;040b235b6b894351305d0c43625cf8eb4640627a506980e9e51d15be8fc3fb677165e95b4e235f3d6909a676b433d996d932840a731d13e0172858ba5e83ce0cc3;008bb99df5b2d1dc91e08eb03f9b5b1f599e00249ac1c0ca17c821e62e2a18d140;c0767fa0cbacee16d0058b5c1c1f7e42e3fcf663c43c76e67d5d2b443d4541318;5522559;04acdec418cfa1ae61a3f969602480e362784e45f6c2d05e06ce30e363e616b6dcb00373d266fb9a5f731b88bb265b23683de5d5bbe35d709cafd3f57742fc6abf;00fe4f270444b99adaeae0bc525a857cb57d3075767183a15e5db9bc71aff8cbb2;e1fa8558593e56dd3108493d5171beb41922bbe23a6924525d2e0469c9de0cdb...Snippet below demonstrates the support for using a deterministic PRNG (-ps) in some of the libraries (see the output oflist-libs):
> java -jar ECTesterStandalone.jar generate -n 5 -ps 1234 -b 256 Bouncyindex;time[nano];pubW;privS0;33664582;04db8bdd6cb30d08a0355d48b65ddfc123944d29395f9f5e1bc2bfe70b4ee44ad39e4005df1e61251b4e9a9d8d47b78fd4ce98181883d2bfd634743758397f54ae;00e08df38827302c3315b833022189f61af3af9fbcb6e53697724374861f1982ee1;3584575;0458bc7baf831c1a316a8deb9fb3109841f10d3cb8828b583b9883a518fa04633488e2fa991e70c98612c989fdfd6aa25118947e8a17bfc36ad1f51a8bdc473e3d;0f5a481f518751bbd2112e4fcc3d1ac60cd66a474af9a57cedbd1e62a52b6bd92;2746750;04827d7247b6d478cc85df313a9ea4f102301b0bd125b18e0111cd02e53b319830b2d0218551504cfc6b1226ac7fa430388f677cab2ea36997e344078328d12207;222898920190d28dac732b8e1fa69dd9907c667604c54db70c41b4815eafc94b3;2828535;0473104cec678c5ea20857435f19280975c2a3b2d22e7f8005c33d019de6b707012960b96a80f0f358a69dcd5dd34c748cae3fa9f45b720f5a7d241017010c1af1;3fb2f7c3a15f86f000017e42f79557befe7472ff462d3321bc13a043c251345c4;14181365;04854011114eb3e0fcf21f2416e0adbb0fc81d84530860ca40b6a86c85aa4e66b455382b71f8b6144f6294376912334ff1b23bb49da8fe1bda0e0e89ccbe9145f6;65675a954fff3287be1fc61dbb176f6784ece16c6b5675d556c57fd58974b358> java -jar ECTesterStandalone.jar generate -n 5 -ps 1234 -b 256 Bouncyindex;time[nano];pubW;privS0;35138528;04db8bdd6cb30d08a0355d48b65ddfc123944d29395f9f5e1bc2bfe70b4ee44ad39e4005df1e61251b4e9a9d8d47b78fd4ce98181883d2bfd634743758397f54ae;00e08df38827302c3315b833022189f61af3af9fbcb6e53697724374861f1982ee1;2351304;0458bc7baf831c1a316a8deb9fb3109841f10d3cb8828b583b9883a518fa04633488e2fa991e70c98612c989fdfd6aa25118947e8a17bfc36ad1f51a8bdc473e3d;0f5a481f518751bbd2112e4fcc3d1ac60cd66a474af9a57cedbd1e62a52b6bd92;3315124;04827d7247b6d478cc85df313a9ea4f102301b0bd125b18e0111cd02e53b319830b2d0218551504cfc6b1226ac7fa430388f677cab2ea36997e344078328d12207;222898920190d28dac732b8e1fa69dd9907c667604c54db70c41b4815eafc94b3;2883430;0473104cec678c5ea20857435f19280975c2a3b2d22e7f8005c33d019de6b707012960b96a80f0f358a69dcd5dd34c748cae3fa9f45b720f5a7d241017010c1af1;3fb2f7c3a15f86f000017e42f79557befe7472ff462d3321bc13a043c251345c4;2060970;04854011114eb3e0fcf21f2416e0adbb0fc81d84530860ca40b6a86c85aa4e66b455382b71f8b6144f6294376912334ff1b23bb49da8fe1bda0e0e89ccbe9145f6;65675a954fff3287be1fc61dbb176f6784ece16c6b5675d556c57fd58974b358It is recommended to disableCPU frequency scaling of your processor before performing collection of timing data, as it adds significant noise to the data as it kicks in. Also, running the collection on very high priority and locked to a single core (taskset -c 0) helps as well.
ECTester contains a few Jupyter notebooks that perform timing analysis on data generated by either the ECTester reader app or the standalone app. These notebooks currently operate on data from the ECDSA, ECDH or key generation commands.
- matplotlib
- numpy
- scipy
- Jupyter
- asn1crypto
To analyze ECDSA data, use theplot_dsa.ipynb notebook. Enter the options in the second cell, including filename, curve, desired time units and then simply run the following cells to obtain heatmaps of the timing data of ECDSA like those displayed below.
This heatmap above is a heatmap of the most significant byte of ECDSA random nonces and the signature time, one can see that there is a clear dependency between certain most significant bits of the nonce and signature time. This is due to the scalar multiplication leaking via timing and was the issue behindCVE-2019-14318 in Crypto++.
This heatmap shows a non leaking implementation that is constant time and does not leak any information (via timing) about the secret scalar in scalar multiplication.
About
Tests support and behavior of elliptic curve cryptography implementations on JavaCards (TYPE_EC_FP and TYPE_EC_F2M) and in selected software libraries.