1// Copyright 2011 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as 6// defined in FIPS 186-4 and SEC 1, Version 2.0. 7// 8// Signatures generated by this package are not deterministic, but entropy is 9// mixed with the private key and the message, achieving the same level of 10// security in case of randomness source failure. 11// 12// Operations involving private keys are implemented using constant-time 13// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224], 14// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used. 15package ecdsa 16 17// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm. 18// That standard is not freely available, which is a problem in an open source 19// implementation, because not only the implementer, but also any maintainer, 20// contributor, reviewer, auditor, and learner needs access to it. Instead, this 21// package references and follows the equivalent [SEC 1, Version 2.0]. 22// 23// [FIPS 186-4]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf 24// [SEC 1, Version 2.0]: https://www.secg.org/sec1-v2.pdf 25 26import ( 27 "bytes" 28 "crypto" 29 "crypto/aes" 30 "crypto/cipher" 31 "crypto/ecdh" 32 "crypto/elliptic" 33 "crypto/internal/bigmod" 34 "crypto/internal/boring" 35 "crypto/internal/boring/bbig" 36 "crypto/internal/nistec" 37 "crypto/internal/randutil" 38 "crypto/sha512" 39 "crypto/subtle" 40 "errors" 41 "io" 42 "math/big" 43 "sync" 44 45 "golang.org/x/crypto/cryptobyte" 46 "golang.org/x/crypto/cryptobyte/asn1" 47) 48 49// PublicKey represents an ECDSA public key. 50type PublicKey struct { 51 elliptic.Curve 52 X, Y *big.Int 53} 54 55// Any methods implemented on PublicKey might need to also be implemented on 56// PrivateKey, as the latter embeds the former and will expose its methods. 57 58// ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is 59// invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the 60// Curve is not supported by crypto/ecdh. 61func (k *PublicKey) ECDH() (*ecdh.PublicKey, error) { 62 c := curveToECDH(k.Curve) 63 if c == nil { 64 return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh") 65 } 66 if !k.Curve.IsOnCurve(k.X, k.Y) { 67 return nil, errors.New("ecdsa: invalid public key") 68 } 69 return c.NewPublicKey(elliptic.Marshal(k.Curve, k.X, k.Y)) 70} 71 72// Equal reports whether pub and x have the same value. 73// 74// Two keys are only considered to have the same value if they have the same Curve value. 75// Note that for example [elliptic.P256] and elliptic.P256().Params() are different 76// values, as the latter is a generic not constant time implementation. 77func (pub *PublicKey) Equal(x crypto.PublicKey) bool { 78 xx, ok := x.(*PublicKey) 79 if !ok { 80 return false 81 } 82 return bigIntEqual(pub.X, xx.X) && bigIntEqual(pub.Y, xx.Y) && 83 // Standard library Curve implementations are singletons, so this check 84 // will work for those. Other Curves might be equivalent even if not 85 // singletons, but there is no definitive way to check for that, and 86 // better to err on the side of safety. 87 pub.Curve == xx.Curve 88} 89 90// PrivateKey represents an ECDSA private key. 91type PrivateKey struct { 92 PublicKey 93 D *big.Int 94} 95 96// ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is 97// invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the 98// Curve is not supported by [crypto/ecdh]. 99func (k *PrivateKey) ECDH() (*ecdh.PrivateKey, error) { 100 c := curveToECDH(k.Curve) 101 if c == nil { 102 return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh") 103 } 104 size := (k.Curve.Params().N.BitLen() + 7) / 8 105 if k.D.BitLen() > size*8 { 106 return nil, errors.New("ecdsa: invalid private key") 107 } 108 return c.NewPrivateKey(k.D.FillBytes(make([]byte, size))) 109} 110 111func curveToECDH(c elliptic.Curve) ecdh.Curve { 112 switch c { 113 case elliptic.P256(): 114 return ecdh.P256() 115 case elliptic.P384(): 116 return ecdh.P384() 117 case elliptic.P521(): 118 return ecdh.P521() 119 default: 120 return nil 121 } 122} 123 124// Public returns the public key corresponding to priv. 125func (priv *PrivateKey) Public() crypto.PublicKey { 126 return &priv.PublicKey 127} 128 129// Equal reports whether priv and x have the same value. 130// 131// See [PublicKey.Equal] for details on how Curve is compared. 132func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool { 133 xx, ok := x.(*PrivateKey) 134 if !ok { 135 return false 136 } 137 return priv.PublicKey.Equal(&xx.PublicKey) && bigIntEqual(priv.D, xx.D) 138} 139 140// bigIntEqual reports whether a and b are equal leaking only their bit length 141// through timing side-channels. 142func bigIntEqual(a, b *big.Int) bool { 143 return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1 144} 145 146// Sign signs digest with priv, reading randomness from rand. The opts argument 147// is not currently used but, in keeping with the crypto.Signer interface, 148// should be the hash function used to digest the message. 149// 150// This method implements crypto.Signer, which is an interface to support keys 151// where the private part is kept in, for example, a hardware module. Common 152// uses can use the [SignASN1] function in this package directly. 153func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { 154 return SignASN1(rand, priv, digest) 155} 156 157// GenerateKey generates a new ECDSA private key for the specified curve. 158// 159// Most applications should use [crypto/rand.Reader] as rand. Note that the 160// returned key does not depend deterministically on the bytes read from rand, 161// and may change between calls and/or between versions. 162func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) { 163 randutil.MaybeReadByte(rand) 164 165 if boring.Enabled && rand == boring.RandReader { 166 x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name) 167 if err != nil { 168 return nil, err 169 } 170 return &PrivateKey{PublicKey: PublicKey{Curve: c, X: bbig.Dec(x), Y: bbig.Dec(y)}, D: bbig.Dec(d)}, nil 171 } 172 boring.UnreachableExceptTests() 173 174 switch c.Params() { 175 case elliptic.P224().Params(): 176 return generateNISTEC(p224(), rand) 177 case elliptic.P256().Params(): 178 return generateNISTEC(p256(), rand) 179 case elliptic.P384().Params(): 180 return generateNISTEC(p384(), rand) 181 case elliptic.P521().Params(): 182 return generateNISTEC(p521(), rand) 183 default: 184 return generateLegacy(c, rand) 185 } 186} 187 188func generateNISTEC[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (*PrivateKey, error) { 189 k, Q, err := randomPoint(c, rand) 190 if err != nil { 191 return nil, err 192 } 193 194 priv := new(PrivateKey) 195 priv.PublicKey.Curve = c.curve 196 priv.D = new(big.Int).SetBytes(k.Bytes(c.N)) 197 priv.PublicKey.X, priv.PublicKey.Y, err = c.pointToAffine(Q) 198 if err != nil { 199 return nil, err 200 } 201 return priv, nil 202} 203 204// randomPoint returns a random scalar and the corresponding point using the 205// procedure given in FIPS 186-4, Appendix B.5.2 (rejection sampling). 206func randomPoint[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (k *bigmod.Nat, p Point, err error) { 207 k = bigmod.NewNat() 208 for { 209 b := make([]byte, c.N.Size()) 210 if _, err = io.ReadFull(rand, b); err != nil { 211 return 212 } 213 214 // Mask off any excess bits to increase the chance of hitting a value in 215 // (0, N). These are the most dangerous lines in the package and maybe in 216 // the library: a single bit of bias in the selection of nonces would likely 217 // lead to key recovery, but no tests would fail. Look but DO NOT TOUCH. 218 if excess := len(b)*8 - c.N.BitLen(); excess > 0 { 219 // Just to be safe, assert that this only happens for the one curve that 220 // doesn't have a round number of bits. 221 if excess != 0 && c.curve.Params().Name != "P-521" { 222 panic("ecdsa: internal error: unexpectedly masking off bits") 223 } 224 b[0] >>= excess 225 } 226 227 // FIPS 186-4 makes us check k <= N - 2 and then add one. 228 // Checking 0 < k <= N - 1 is strictly equivalent. 229 // None of this matters anyway because the chance of selecting 230 // zero is cryptographically negligible. 231 if _, err = k.SetBytes(b, c.N); err == nil && k.IsZero() == 0 { 232 break 233 } 234 235 if testingOnlyRejectionSamplingLooped != nil { 236 testingOnlyRejectionSamplingLooped() 237 } 238 } 239 240 p, err = c.newPoint().ScalarBaseMult(k.Bytes(c.N)) 241 return 242} 243 244// testingOnlyRejectionSamplingLooped is called when rejection sampling in 245// randomPoint rejects a candidate for being higher than the modulus. 246var testingOnlyRejectionSamplingLooped func() 247 248// errNoAsm is returned by signAsm and verifyAsm when the assembly 249// implementation is not available. 250var errNoAsm = errors.New("no assembly implementation available") 251 252// SignASN1 signs a hash (which should be the result of hashing a larger message) 253// using the private key, priv. If the hash is longer than the bit-length of the 254// private key's curve order, the hash will be truncated to that length. It 255// returns the ASN.1 encoded signature. 256// 257// The signature is randomized. Most applications should use [crypto/rand.Reader] 258// as rand. Note that the returned signature does not depend deterministically on 259// the bytes read from rand, and may change between calls and/or between versions. 260func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) { 261 randutil.MaybeReadByte(rand) 262 263 if boring.Enabled && rand == boring.RandReader { 264 b, err := boringPrivateKey(priv) 265 if err != nil { 266 return nil, err 267 } 268 return boring.SignMarshalECDSA(b, hash) 269 } 270 boring.UnreachableExceptTests() 271 272 csprng, err := mixedCSPRNG(rand, priv, hash) 273 if err != nil { 274 return nil, err 275 } 276 277 if sig, err := signAsm(priv, csprng, hash); err != errNoAsm { 278 return sig, err 279 } 280 281 switch priv.Curve.Params() { 282 case elliptic.P224().Params(): 283 return signNISTEC(p224(), priv, csprng, hash) 284 case elliptic.P256().Params(): 285 return signNISTEC(p256(), priv, csprng, hash) 286 case elliptic.P384().Params(): 287 return signNISTEC(p384(), priv, csprng, hash) 288 case elliptic.P521().Params(): 289 return signNISTEC(p521(), priv, csprng, hash) 290 default: 291 return signLegacy(priv, csprng, hash) 292 } 293} 294 295func signNISTEC[Point nistPoint[Point]](c *nistCurve[Point], priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) { 296 // SEC 1, Version 2.0, Section 4.1.3 297 298 k, R, err := randomPoint(c, csprng) 299 if err != nil { 300 return nil, err 301 } 302 303 // kInv = k⁻¹ 304 kInv := bigmod.NewNat() 305 inverse(c, kInv, k) 306 307 Rx, err := R.BytesX() 308 if err != nil { 309 return nil, err 310 } 311 r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N) 312 if err != nil { 313 return nil, err 314 } 315 316 // The spec wants us to retry here, but the chance of hitting this condition 317 // on a large prime-order group like the NIST curves we support is 318 // cryptographically negligible. If we hit it, something is awfully wrong. 319 if r.IsZero() == 1 { 320 return nil, errors.New("ecdsa: internal error: r is zero") 321 } 322 323 e := bigmod.NewNat() 324 hashToNat(c, e, hash) 325 326 s, err := bigmod.NewNat().SetBytes(priv.D.Bytes(), c.N) 327 if err != nil { 328 return nil, err 329 } 330 s.Mul(r, c.N) 331 s.Add(e, c.N) 332 s.Mul(kInv, c.N) 333 334 // Again, the chance of this happening is cryptographically negligible. 335 if s.IsZero() == 1 { 336 return nil, errors.New("ecdsa: internal error: s is zero") 337 } 338 339 return encodeSignature(r.Bytes(c.N), s.Bytes(c.N)) 340} 341 342func encodeSignature(r, s []byte) ([]byte, error) { 343 var b cryptobyte.Builder 344 b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { 345 addASN1IntBytes(b, r) 346 addASN1IntBytes(b, s) 347 }) 348 return b.Bytes() 349} 350 351// addASN1IntBytes encodes in ASN.1 a positive integer represented as 352// a big-endian byte slice with zero or more leading zeroes. 353func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { 354 for len(bytes) > 0 && bytes[0] == 0 { 355 bytes = bytes[1:] 356 } 357 if len(bytes) == 0 { 358 b.SetError(errors.New("invalid integer")) 359 return 360 } 361 b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) { 362 if bytes[0]&0x80 != 0 { 363 c.AddUint8(0) 364 } 365 c.AddBytes(bytes) 366 }) 367} 368 369// inverse sets kInv to the inverse of k modulo the order of the curve. 370func inverse[Point nistPoint[Point]](c *nistCurve[Point], kInv, k *bigmod.Nat) { 371 if c.curve.Params().Name == "P-256" { 372 kBytes, err := nistec.P256OrdInverse(k.Bytes(c.N)) 373 // Some platforms don't implement P256OrdInverse, and always return an error. 374 if err == nil { 375 _, err := kInv.SetBytes(kBytes, c.N) 376 if err != nil { 377 panic("ecdsa: internal error: P256OrdInverse produced an invalid value") 378 } 379 return 380 } 381 } 382 383 // Calculate the inverse of s in GF(N) using Fermat's method 384 // (exponentiation modulo P - 2, per Euler's theorem) 385 kInv.Exp(k, c.nMinus2, c.N) 386} 387 388// hashToNat sets e to the left-most bits of hash, according to 389// SEC 1, Section 4.1.3, point 5 and Section 4.1.4, point 3. 390func hashToNat[Point nistPoint[Point]](c *nistCurve[Point], e *bigmod.Nat, hash []byte) { 391 // ECDSA asks us to take the left-most log2(N) bits of hash, and use them as 392 // an integer modulo N. This is the absolute worst of all worlds: we still 393 // have to reduce, because the result might still overflow N, but to take 394 // the left-most bits for P-521 we have to do a right shift. 395 if size := c.N.Size(); len(hash) >= size { 396 hash = hash[:size] 397 if excess := len(hash)*8 - c.N.BitLen(); excess > 0 { 398 hash = bytes.Clone(hash) 399 for i := len(hash) - 1; i >= 0; i-- { 400 hash[i] >>= excess 401 if i > 0 { 402 hash[i] |= hash[i-1] << (8 - excess) 403 } 404 } 405 } 406 } 407 _, err := e.SetOverflowingBytes(hash, c.N) 408 if err != nil { 409 panic("ecdsa: internal error: truncated hash is too long") 410 } 411} 412 413// mixedCSPRNG returns a CSPRNG that mixes entropy from rand with the message 414// and the private key, to protect the key in case rand fails. This is 415// equivalent in security to RFC 6979 deterministic nonce generation, but still 416// produces randomized signatures. 417func mixedCSPRNG(rand io.Reader, priv *PrivateKey, hash []byte) (io.Reader, error) { 418 // This implementation derives the nonce from an AES-CTR CSPRNG keyed by: 419 // 420 // SHA2-512(priv.D || entropy || hash)[:32] 421 // 422 // The CSPRNG key is indifferentiable from a random oracle as shown in 423 // [Coron], the AES-CTR stream is indifferentiable from a random oracle 424 // under standard cryptographic assumptions (see [Larsson] for examples). 425 // 426 // [Coron]: https://cs.nyu.edu/~dodis/ps/merkle.pdf 427 // [Larsson]: https://web.archive.org/web/20040719170906/https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf 428 429 // Get 256 bits of entropy from rand. 430 entropy := make([]byte, 32) 431 if _, err := io.ReadFull(rand, entropy); err != nil { 432 return nil, err 433 } 434 435 // Initialize an SHA-512 hash context; digest... 436 md := sha512.New() 437 md.Write(priv.D.Bytes()) // the private key, 438 md.Write(entropy) // the entropy, 439 md.Write(hash) // and the input hash; 440 key := md.Sum(nil)[:32] // and compute ChopMD-256(SHA-512), 441 // which is an indifferentiable MAC. 442 443 // Create an AES-CTR instance to use as a CSPRNG. 444 block, err := aes.NewCipher(key) 445 if err != nil { 446 return nil, err 447 } 448 449 // Create a CSPRNG that xors a stream of zeros with 450 // the output of the AES-CTR instance. 451 const aesIV = "IV for ECDSA CTR" 452 return &cipher.StreamReader{ 453 R: zeroReader, 454 S: cipher.NewCTR(block, []byte(aesIV)), 455 }, nil 456} 457 458type zr struct{} 459 460var zeroReader = zr{} 461 462// Read replaces the contents of dst with zeros. It is safe for concurrent use. 463func (zr) Read(dst []byte) (n int, err error) { 464 clear(dst) 465 return len(dst), nil 466} 467 468// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the 469// public key, pub. Its return value records whether the signature is valid. 470// 471// The inputs are not considered confidential, and may leak through timing side 472// channels, or if an attacker has control of part of the inputs. 473func VerifyASN1(pub *PublicKey, hash, sig []byte) bool { 474 if boring.Enabled { 475 key, err := boringPublicKey(pub) 476 if err != nil { 477 return false 478 } 479 return boring.VerifyECDSA(key, hash, sig) 480 } 481 boring.UnreachableExceptTests() 482 483 if err := verifyAsm(pub, hash, sig); err != errNoAsm { 484 return err == nil 485 } 486 487 switch pub.Curve.Params() { 488 case elliptic.P224().Params(): 489 return verifyNISTEC(p224(), pub, hash, sig) 490 case elliptic.P256().Params(): 491 return verifyNISTEC(p256(), pub, hash, sig) 492 case elliptic.P384().Params(): 493 return verifyNISTEC(p384(), pub, hash, sig) 494 case elliptic.P521().Params(): 495 return verifyNISTEC(p521(), pub, hash, sig) 496 default: 497 return verifyLegacy(pub, hash, sig) 498 } 499} 500 501func verifyNISTEC[Point nistPoint[Point]](c *nistCurve[Point], pub *PublicKey, hash, sig []byte) bool { 502 rBytes, sBytes, err := parseSignature(sig) 503 if err != nil { 504 return false 505 } 506 507 Q, err := c.pointFromAffine(pub.X, pub.Y) 508 if err != nil { 509 return false 510 } 511 512 // SEC 1, Version 2.0, Section 4.1.4 513 514 r, err := bigmod.NewNat().SetBytes(rBytes, c.N) 515 if err != nil || r.IsZero() == 1 { 516 return false 517 } 518 s, err := bigmod.NewNat().SetBytes(sBytes, c.N) 519 if err != nil || s.IsZero() == 1 { 520 return false 521 } 522 523 e := bigmod.NewNat() 524 hashToNat(c, e, hash) 525 526 // w = s⁻¹ 527 w := bigmod.NewNat() 528 inverse(c, w, s) 529 530 // p₁ = [e * s⁻¹]G 531 p1, err := c.newPoint().ScalarBaseMult(e.Mul(w, c.N).Bytes(c.N)) 532 if err != nil { 533 return false 534 } 535 // p₂ = [r * s⁻¹]Q 536 p2, err := Q.ScalarMult(Q, w.Mul(r, c.N).Bytes(c.N)) 537 if err != nil { 538 return false 539 } 540 // BytesX returns an error for the point at infinity. 541 Rx, err := p1.Add(p1, p2).BytesX() 542 if err != nil { 543 return false 544 } 545 546 v, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N) 547 if err != nil { 548 return false 549 } 550 551 return v.Equal(r) == 1 552} 553 554func parseSignature(sig []byte) (r, s []byte, err error) { 555 var inner cryptobyte.String 556 input := cryptobyte.String(sig) 557 if !input.ReadASN1(&inner, asn1.SEQUENCE) || 558 !input.Empty() || 559 !inner.ReadASN1Integer(&r) || 560 !inner.ReadASN1Integer(&s) || 561 !inner.Empty() { 562 return nil, nil, errors.New("invalid ASN.1") 563 } 564 return r, s, nil 565} 566 567type nistCurve[Point nistPoint[Point]] struct { 568 newPoint func() Point 569 curve elliptic.Curve 570 N *bigmod.Modulus 571 nMinus2 []byte 572} 573 574// nistPoint is a generic constraint for the nistec Point types. 575type nistPoint[T any] interface { 576 Bytes() []byte 577 BytesX() ([]byte, error) 578 SetBytes([]byte) (T, error) 579 Add(T, T) T 580 ScalarMult(T, []byte) (T, error) 581 ScalarBaseMult([]byte) (T, error) 582} 583 584// pointFromAffine is used to convert the PublicKey to a nistec Point. 585func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, err error) { 586 bitSize := curve.curve.Params().BitSize 587 // Reject values that would not get correctly encoded. 588 if x.Sign() < 0 || y.Sign() < 0 { 589 return p, errors.New("negative coordinate") 590 } 591 if x.BitLen() > bitSize || y.BitLen() > bitSize { 592 return p, errors.New("overflowing coordinate") 593 } 594 // Encode the coordinates and let SetBytes reject invalid points. 595 byteLen := (bitSize + 7) / 8 596 buf := make([]byte, 1+2*byteLen) 597 buf[0] = 4 // uncompressed point 598 x.FillBytes(buf[1 : 1+byteLen]) 599 y.FillBytes(buf[1+byteLen : 1+2*byteLen]) 600 return curve.newPoint().SetBytes(buf) 601} 602 603// pointToAffine is used to convert a nistec Point to a PublicKey. 604func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int, err error) { 605 out := p.Bytes() 606 if len(out) == 1 && out[0] == 0 { 607 // This is the encoding of the point at infinity. 608 return nil, nil, errors.New("ecdsa: public key point is the infinity") 609 } 610 byteLen := (curve.curve.Params().BitSize + 7) / 8 611 x = new(big.Int).SetBytes(out[1 : 1+byteLen]) 612 y = new(big.Int).SetBytes(out[1+byteLen:]) 613 return x, y, nil 614} 615 616var p224Once sync.Once 617var _p224 *nistCurve[*nistec.P224Point] 618 619func p224() *nistCurve[*nistec.P224Point] { 620 p224Once.Do(func() { 621 _p224 = &nistCurve[*nistec.P224Point]{ 622 newPoint: func() *nistec.P224Point { return nistec.NewP224Point() }, 623 } 624 precomputeParams(_p224, elliptic.P224()) 625 }) 626 return _p224 627} 628 629var p256Once sync.Once 630var _p256 *nistCurve[*nistec.P256Point] 631 632func p256() *nistCurve[*nistec.P256Point] { 633 p256Once.Do(func() { 634 _p256 = &nistCurve[*nistec.P256Point]{ 635 newPoint: func() *nistec.P256Point { return nistec.NewP256Point() }, 636 } 637 precomputeParams(_p256, elliptic.P256()) 638 }) 639 return _p256 640} 641 642var p384Once sync.Once 643var _p384 *nistCurve[*nistec.P384Point] 644 645func p384() *nistCurve[*nistec.P384Point] { 646 p384Once.Do(func() { 647 _p384 = &nistCurve[*nistec.P384Point]{ 648 newPoint: func() *nistec.P384Point { return nistec.NewP384Point() }, 649 } 650 precomputeParams(_p384, elliptic.P384()) 651 }) 652 return _p384 653} 654 655var p521Once sync.Once 656var _p521 *nistCurve[*nistec.P521Point] 657 658func p521() *nistCurve[*nistec.P521Point] { 659 p521Once.Do(func() { 660 _p521 = &nistCurve[*nistec.P521Point]{ 661 newPoint: func() *nistec.P521Point { return nistec.NewP521Point() }, 662 } 663 precomputeParams(_p521, elliptic.P521()) 664 }) 665 return _p521 666} 667 668func precomputeParams[Point nistPoint[Point]](c *nistCurve[Point], curve elliptic.Curve) { 669 params := curve.Params() 670 c.curve = curve 671 var err error 672 c.N, err = bigmod.NewModulusFromBig(params.N) 673 if err != nil { 674 panic(err) 675 } 676 c.nMinus2 = new(big.Int).Sub(params.N, big.NewInt(2)).Bytes() 677} 678