Point addition using Elliptic Curve calculations on Java Card

Question

I have a smart card which supports JavaCard 2.2.2 and I would like to develop a signature with tickets on elliptic curve. To do that, I need to compute the sum of 2 points on an elliptic curve. I've read the JavaCard's API and I don't think it is possible, in fact there are things about elliptic curves but only for algorithms that are already developed (ECPrivateKey for ECDSA for example ...) But when you want to create an ECPrivateKey, you have to give the parameters which define the elliptic curve, so it is defined somewhere, right ?

To put it in a nutshell, is it possible to develop a Java cardlet which makes computation (sum, product of points...) over an elliptic curve ?

I am a little bit lost aboutthis so thank you very much for your help :)

Maarten Bodewes · Accepted Answer · 2016-01-21T19:11:23.417

3

No, it is not currently possible with the standard Java API, at least not without doing all the required computations yourself, which would require a lot of complex code and the implementation of a multiplier (which will not perform well).

It may just be present in some proprietary API's though (such as certain versions of JCOP, to name a completely random example).

Update: 3.0.5 contains ALG_EC_PACE_GM. That still not point addition, but it can be used to implement PACE without proprietary extensions. If the card implements the algorithm in the first place, of course.

edited Jan 21 '16 at 19:11

answered Oct 08 '14 at 16:36

Maarten Bodewes

90,524
13
150
263

1

Well, at least I saved you the trouble of trying to implement it yourself, I suppose :( – Maarten Bodewes Oct 08 '14 at 16:41
And yes at least I will not losing my time to try to implement a thing like that ! – Raoul722 Oct 08 '14 at 17:55

score 2 · Answer 2 · edited May 23 '17 at 11:52

I'll post everything that was found based on Maarted Bodewes answer just to make things clear for further readers.

Yes, some proprietary JCOP API for ECC on JavaCard exists. Example can be found here. Here is discussion about JCOP.
There is neither free tool for integrating this API to existing simulators nor native JCOP simulators available. For free, at least.
There is some API provided by Gemalto. At least, I've seen a piece of code that do things like that:

import com.gemalto.javacard.gostservices.math.ECMathFp; ... private ECPoint point; ...

Unfortunately, I've no further info about this Gemalto feature.
Summing up: there is still nothing to do about ECC on javacard.

If someone can share details about subject at p.3 - this would be really interesting(for me, at least)

score 1 · Answer 3 · answered Nov 28 '17 at 13:27

1

Just in case someone is still looking for a solution:

JCMathlib realizes ECPoint addition. You can load your curve, initialize your EC points and perform all primitive EC point operations.

If it's for prototyping or side-channel attacks are not in your threat model, it should work nicely. But please note that it's unlikely that the lib will ever be as resistant to side-channel attacks as a hardware implementation.

Disclaimer: I'm one of the lib authors. :)

answered Nov 28 '17 at 13:27

Vasilios Mavroudis

113
2
6

Will JCMathLib multiplication quickly? I'm want to compute public keys at runtime from known private keys but I don't have any devices that do plain xy natively. – Billy Back Bedroom Jul 15 '18 at 18:30
@BillyBackBedroom If you are referring to EC point-scalar multiplication, indeed JCMathLib does that! Here is a link to the method: https://github.com/OpenCryptoProject/JCMathLib/blob/066f30fb2957ae6cf997819838657b7526fae891/JCMathLib/src/opencrypto/jcmathlib/ECPoint.java#L292 Unfortunately, it is the slowest operation. It depends on the card, but it is usually a bit less than 4 seconds. However, if you somehow have a card that supports ALG_EC_SVDP_DH_PLAIN_XY then simply enable it from the ECPoint_helper class, and it will be significantly faster. – Vasilios Mavroudis Jul 15 '18 at 22:48
thank you. I looked at the code and it turns out if I send 0x03 as the algorithm to KeyAgreement I get back the compressed EC point - which I did not expect but I'm happy enough with that on this device for the time being. It's the ACOSJ for what it's worth, and it's taking < 500ms. – Billy Back Bedroom Jul 16 '18 at 13:12
1

Glad you solved it! Just note that KeyAgreement_ALG_EC_SVDP_DH_PLAIN (i.e., the 0x03 option in JCMathLib) does not really return the compressed EC Point. It returns only the x coordinate, while compressed points include also the first bit of the y coordinate. The idea is that given x, you can solve the elliptic curve equation for y. This gives you two candidate points (x,y) and (x,-y). If you have the first bit of y, you can use that to pick the correct one of those two points. Without that bit, it's less straightforward but you can still do it (we do it in JCMathLib). – Vasilios Mavroudis Jul 16 '18 at 14:02

Point addition using Elliptic Curve calculations on Java Card

3 Answers3

Linked