ECTester
Tests support and behavior of elliptic curve cryptography implementations on JavaCards (TYPE_EC_FP
and TYPE_EC_F2M
) and on selected software libraries. See our github for more info.
JavaCard Elliptic curve algorithm support#
The JavaCard API has support for basic Elliptic Curve Cryptography, such as ECDH and ECDSA. However not many cards actually support these algorithms. The table below displays support and performance obtained by ECTester for common curve sizes. For detailed support and implementation tests see test runs.Legend
∗ ECDH types
- ALG_EC_SVDP_DH
- ALG_EC_SVDP_DHC
- ALG_EC_SVDP_DH_PLAIN
- ALG_EC_SVDP_DHC_PLAIN
- ALG_EC_PACE_GM
- ALG_EC_SVDP_DH_PLAIN_XY
† ECDSA types
- ALG_ECDSA_SHA
- ALG_ECDSA_SHA_224
- ALG_ECDSA_SHA_256
- ALG_ECDSA_SHA_384
- ALG_ECDSA_SHA_512
‡ Colors
- Full support
- Some support
- No support
- Not defined
Card list
This page contains results for the following cards:- ACS ACOSJ 40K 3b69000241434f534a76313031
- Athena IDProtect 3bd518ff8191fe1fc38073c8211309
- Feitian A22CR 3b9c9580811f039067464a01003504f272fe00a1
- G&D SmartCafe 6.0 3bfe1800008031fe4553434536302d43443038312d6e46a9
- G&D SmartCafe 7.0 3bf99600008031fe4553434537200000202027
- Infineon CJTOP 80K INF SLJ 52GLA080AL M8.4 3bfe1800008031fe45803180664090a5102e1083019000f2
- Infineon SLE78 Universal JCard 3bfd9600008131fe45534c4a353247444c313238435257
- NXP JCOP31 v2.4.1 3bf81300008131fe454a434f5076323431b7
- NXP JCOP CJ2A081 3bf81300008131fe454a434f5076323431b7
- NXP JCOP v2.4.2 R2 3bf91300008131fe454a434f503234325232a3
- NXP JCOP v2.4.2 R3 3bf01300008131fe45e8
- Oberthur Cosmo v7 3bdb960080b1fe451f830031c064c308010001900095
- TaiSYS SIMoME VAULT 3b9f95803fc7a08031e073fa21106300000083f09000bb
$ \mathbb{F}_p $ support
Card∗†‡ | 192b | 256b | 384b | 521b | ||||
---|---|---|---|---|---|---|---|---|
ECDH | ECDSA | ECDH | ECDSA | ECDH | ECDSA | ECDH | ECDSA | |
ACS ACOSJ 40K | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | ✘ | ✘ |
Athena IDProtect | 1,2,3,4 | a,b,c | 1,2,3,4 | a,b,c | 1,2,3,4 | a,b,c | 1,2,3,4 | a,b,c |
Feitian A22CR | ||||||||
G&D SmartCafe 6.0 | 1,2,3,4 | a,b,c,d,e | 1,2,4,3 | a,b,c,d,e | ✘ | ✘ | ✘ | ✘ |
G&D SmartCafe 7.0 | 1,2,3,4 | a,b,c,d,e | 1,2,4,3 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e |
Infineon CJTOP 80k | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | ✘ | ✘ |
Infineon SLE78 | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e |
NXP JCOP31 v2.4.1 | 1,2 | a | 1,2 | a | ✘ | ✘ | ✘ | ✘ |
NXP JCOP CJ2A081 | 1,2 | a | 1,2 | a | ✘ | ✘ | ✘ | ✘ |
NXP JCOP v2.4.2 R2 | 1,3 | a,b,c | 1,3 | a,b,c | ✘ | ✘ | ✘ | ✘ |
NXP JCOP v2.4.2 R3 | 1,3 | a,b,c | 1,3 | a,b,c | ✘ | ✘ | ✘ | ✘ |
Oberthur Cosmo v7 | 1,2 | a | 1,2 | a | 1,2 | a | 1,2 | a |
TaiSYS SIMoME VAULT | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e | 1,2,3,4 | a,b,c,d,e |
$ \mathbb{F}_p $ performance
The following table shows performance of tested cards in ECDH and ECDSA over popular $ \mathbb{F}_p $ curve sizes. Key generation performance is similar to ECDH performance. ECDSA timings are split for sign+verify operations. Times are in milliseconds.Card‡ | Type | 192b | 256b | 384b | 521b | |||||
---|---|---|---|---|---|---|---|---|---|---|
∗ | † | ECDH | ECDSA | ECDH | ECDSA | ECDH | ECDSA | ECDH | ECDSA | |
ACS ACOSJ 40K | ||||||||||
1 | a | 172 | 254+257 | 209 | 311+315 | 360 | 503+536 | ✘ | ✘ | |
2 | b | 172 | 255+256 | 209 | 311+316 | 360 | 505+535 | ✘ | ✘ | |
3 | c | 172 | 254+257 | 209 | 311+315 | 360 | 505+537 | ✘ | ✘ | |
4 | d | 172 | 255+261 | 210 | 310+316 | 360 | 505+537 | ✘ | ✘ | |
5 | e | ✘ | 255+260 | ✘ | 311+315 | ✘ | 505+538 | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
Athena IDProtect | ||||||||||
1 | a | 147 | 110+163 | 209 | 148+228 | 448 | 279+473 | 937 | 537+970 | |
2 | b | 147 | 113+167 | 209 | 150+230 | 448 | 281+477 | 938 | 540+973 | |
3 | c | 148 | 114+165 | 209 | 150+231 | 448 | 281+475 | 937 | 540+972 | |
4 | d | 146 | ✘ | 209 | ✘ | 448 | ✘ | 938 | ✘ | |
5 | e | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
Feitian A22CR | ||||||||||
1 | a | |||||||||
2 | b | |||||||||
3 | c | |||||||||
4 | d | |||||||||
5 | e | |||||||||
6 | ||||||||||
G&D SmartCafe 6.0 | ||||||||||
1 | a | 128 | 110+135 | 192 | 145+197 | ✘ | ✘ | ✘ | ✘ | |
2 | b | 128 | 122+147 | 193 | 158+210 | ✘ | ✘ | ✘ | ✘ | |
3 | c | 126 | 123+147 | 190 | 158+209 | ✘ | ✘ | ✘ | ✘ | |
4 | d | 126 | 127+152 | 191 | 162+214 | ✘ | ✘ | ✘ | ✘ | |
5 | e | ✘ | 127+152 | ✘ | 162+214 | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
G&D SmartCafe 7.0 | ||||||||||
1 | a | 67 | 69+80 | 94 | 85+108 | 161 | 123+176 | 254 | 174+273 | |
2 | b | 67 | 71+82 | 94 | 87+111 | 161 | 128+180 | 255 | 177+275 | |
3 | c | 66 | 71+83 | 93 | 88+110 | 160 | 126+180 | 253 | 175+275 | |
4 | d | 66 | 72+83 | 93 | 87+111 | 161 | 126+180 | 253 | 177+276 | |
5 | e | ✘ | 72+83 | ✘ | 88+111 | ✘ | 126+180 | ✘ | 178+276 | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
Infineon CJTOP 80k | ||||||||||
1 | a | 138 | 144+113 | 167 | 175+138 | 240 | 254+202 | ✘ | ✘ | |
2 | b | 208 | 151+120 | 267 | 183+144 | 414 | 262+207 | ✘ | ✘ | |
3 | c | 207 | 151+121 | 263 | 182+145 | 408 | 261+207 | ✘ | ✘ | |
4 | d | 205 | 176+145 | 264 | 207+169 | 408 | 286+232 | ✘ | ✘ | |
5 | e | ✘ | 175+145 | ✘ | 208+171 | ✘ | 287+233 | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
Infineon SLE78 | ||||||||||
1 | a | 83 | 170+201 | 109 | 226+275 | 177 | 367+467 | 315 | 650+806 | |
2 | b | 83 | 188+220 | 109 | 243+293 | 177 | 384+483 | 315 | 667+827 | |
3 | c | 79 | 188+219 | 105 | 243+293 | 173 | 384+482 | 308 | 667+826 | |
4 | d | 79 | 208+240 | 105 | 263+313 | 173 | 405+504 | 308 | 688+846 | |
5 | e | ✘ | 208+241 | ✘ | 264+314 | ✘ | 405+503 | ✘ | 688+847 | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
NXP JCOP31 v2.4.1 | ||||||||||
1 | a | 122 | 140+167 | 190 | 192+260 | ✘ | ✘ | ✘ | ✘ | |
2 | b | 123 | ✘ | 191 | ✘ | ✘ | ✘ | ✘ | ✘ | |
3 | c | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
4 | d | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
5 | e | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
NXP JCOP CJ2A081 | ||||||||||
1 | a | 76 | 93+107 | 124 | 129+168 | ✘ | ✘ | ✘ | ✘ | |
2 | b | 76 | ✘ | 124 | ✘ | ✘ | ✘ | ✘ | ✘ | |
3 | c | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
4 | d | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
5 | e | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
NXP JCOP v2.4.2 R3 | ||||||||||
1 | a | 101 | 111+111 | 154 | 151+172 | ✘ | ✘ | ✘ | ✘ | |
2 | b | 96 | 114+113 | ✘ | 154+178 | ✘ | ✘ | ✘ | ✘ | |
3 | c | ✘ | 114+114 | ✘ | 154+176 | ✘ | ✘ | ✘ | ✘ | |
4 | d | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
5 | e | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
Oberthur Cosmo v7 | ||||||||||
1 | a | 881 | 806+925 | 1183 | 1067+1256 | 2190 | 1907+2399 | 4246 | 3612+4790 | |
2 | b | 793 | ✘ | 1051 | ✘ | 1889 | ✘ | 3593 | ✘ | |
3 | c | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
4 | d | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
5 | e | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | |
6 | ✘ | ✘ | ✘ | ✘ | ||||||
TaiSYS SIMoME VAULT | ||||||||||
1 | a | 109 | 217+288 | 132 | 267+352 | 202 | 439+585 | 340 | 935+1220 | |
2 | b | 108 | 211+282 | 135 | 251+340 | 201 | 443+590 | 346 | 922+1201 | |
3 | c | 105 | 226+293 | 130 | 271+356 | 198 | 460+586 | 341 | 923+1202 | |
4 | d | 106 | 222+289 | 125 | 259+348 | 198 | 433+579 | 341 | 913+1202 | |
5 | e | ✘ | 221+282 | ✘ | 261+349 | ✘ | 447+576 | ✘ | 912+1200 | |
6 | ✘ | ✘ | ✘ | ✘ |
$ \mathbb{F}_p $ default curves
The JavaCard API allows cards to specify default curves to be used when generating EC keys using theKeyPair
class.
Grey background shows that no default curve is present and one should be specified after creating
the keypair, see the implementation guide.
Card | 112b | 128b | 160b | 192b | 224b | 256b | 384b | 521b |
---|---|---|---|---|---|---|---|---|
Athena IDProtect | ||||||||
Feitian A22 CR | secp112r1 | secp128r1 | secp160r1 | P-192secp192r1 | P-224secp224r1 | SMP256V1 | ||
FeitianFeitian A22 | ||||||||
G&D Smartcafe 6.0 | ||||||||
G&D Smartcafe 7.0 | ||||||||
Infineon CJTOP 80k | brainpoolP160r1 | brainpoolP192r | brainpoolP224r1 | brainpoolP256r1 | ||||
Infineon SLE78 | brainpoolP256r1 | |||||||
NXP JCOP31 v2.4.1 | secp128r1 | secp160r1 | P-192secp192r1 | |||||
NXP JCOP CJ2A081 | secp128r1 | secp160r1 | P-192secp192r1 | |||||
NXP JCOP v2.4.2 R2 | ||||||||
NXP JCOP v2.4.2 R3 | ||||||||
NXP JCOP v2.4.2 R3 J2E145G | ||||||||
TaiSYS SIMoME VAULT | secp112r1 | secp128r1 | secp160r1 | secp192r1 | secp224r1 | secp256r1 |
$ \mathbb{F}_{2^m} $
Support for binary field curves on cards is very weak, very little cards have any. For more information see JCAlgTest support table.Implementation guide#
A basic example of EC KeyPair generation is visible below, for a more complete example see ECExample.java.
// secp256r1 from http://www.secg.org/sec2-v2.pdf
byte[] EC256_FP_P = new byte[]{
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
byte[] EC256_FP_A = new byte[]{
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC};
byte[] EC256_FP_B = new byte[]{
(byte) 0x5A, (byte) 0xC6, (byte) 0x35, (byte) 0xD8, (byte) 0xAA, (byte) 0x3A, (byte) 0x93, (byte) 0xE7,
(byte) 0xB3, (byte) 0xEB, (byte) 0xBD, (byte) 0x55, (byte) 0x76, (byte) 0x98, (byte) 0x86, (byte) 0xBC,
(byte) 0x65, (byte) 0x1D, (byte) 0x06, (byte) 0xB0, (byte) 0xCC, (byte) 0x53, (byte) 0xB0, (byte) 0xF6,
(byte) 0x3B, (byte) 0xCE, (byte) 0x3C, (byte) 0x3E, (byte) 0x27, (byte) 0xD2, (byte) 0x60, (byte) 0x4B};
byte[] EC256_FP_G = new byte[]{
(byte) 0x04,
(byte) 0x6B, (byte) 0x17, (byte) 0xD1, (byte) 0xF2, (byte) 0xE1, (byte) 0x2C, (byte) 0x42, (byte) 0x47,
(byte) 0xF8, (byte) 0xBC, (byte) 0xE6, (byte) 0xE5, (byte) 0x63, (byte) 0xA4, (byte) 0x40, (byte) 0xF2,
(byte) 0x77, (byte) 0x03, (byte) 0x7D, (byte) 0x81, (byte) 0x2D, (byte) 0xEB, (byte) 0x33, (byte) 0xA0,
(byte) 0xF4, (byte) 0xA1, (byte) 0x39, (byte) 0x45, (byte) 0xD8, (byte) 0x98, (byte) 0xC2, (byte) 0x96,
(byte) 0x4F, (byte) 0xE3, (byte) 0x42, (byte) 0xE2, (byte) 0xFE, (byte) 0x1A, (byte) 0x7F, (byte) 0x9B,
(byte) 0x8E, (byte) 0xE7, (byte) 0xEB, (byte) 0x4A, (byte) 0x7C, (byte) 0x0F, (byte) 0x9E, (byte) 0x16,
(byte) 0x2B, (byte) 0xCE, (byte) 0x33, (byte) 0x57, (byte) 0x6B, (byte) 0x31, (byte) 0x5E, (byte) 0xCE,
(byte) 0xCB, (byte) 0xB6, (byte) 0x40, (byte) 0x68, (byte) 0x37, (byte) 0xBF, (byte) 0x51, (byte) 0xF5};
byte[] EC256_FP_R = new byte[]{
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
(byte) 0xBC, (byte) 0xE6, (byte) 0xFA, (byte) 0xAD, (byte) 0xA7, (byte) 0x17, (byte) 0x9E, (byte) 0x84,
(byte) 0xF3, (byte) 0xB9, (byte) 0xCA, (byte) 0xC2, (byte) 0xFC, (byte) 0x63, (byte) 0x25, (byte) 0x51};
short EC256_FP_K = 1;
// 1. Allocate the KeyPair object.
// ! This should be done in the Applet constructor !
KeyPair example = new KeyPair(KeyPair.ALG_EC_FP, (short) 256);
// 2. If the key parts are not available, call genKeyPair.
if (example.getPrivate() == null || example.getPublic() == null) {
// Sometimes cards require this so we have the keyparts, to
// set parameters on.
try {
example.genKeyPair();
} catch (Exception ignored) {}
}
// 3. Get the key parts and set custom domain parameters on them.
ECPrivateKey priv = (ECPrivateKey) example.getPrivate();
ECPublicKey pub = (ECPublicKey) example.getPublic();
priv.setFieldFP(EC256_FP_P, (short) 0, EC256_FP_P.length);
pub.setFieldFP(EC256_FP_P, (short) 0, EC256_FP_P.length);
priv.setA(EC256_FP_A, (short) 0, EC256_FP_A.length);
pub.setA(EC256_FP_A, (short) 0, EC256_FP_A.length);
priv.setB(EC256_FP_B, (short) 0, EC256_FP_B.length);
pub.setB(EC256_FP_B, (short) 0, EC256_FP_B.length);
priv.setG(EC256_FP_G, (short) 0, EC256_FP_G.length);
pub.set(EC256_FP_G, (short) 0, EC256_FP_G.length);
priv.setR(EC256_FP_R, (short) 0, EC256_FP_R.length);
pub.setR(EC256_FP_R, (short) 0, EC256_FP_R.length);
priv.setK(EC256_FP_K);
pub.setK(EC256_FP_K);
// 4. Generate the KeyPair over the custom set domain parameters.
example.genKeyPair();
// Now, the example keypair is ready for use.
Common JavaCard ECC usage pitfalls
The JavaCard ECC API is quite general in its requirements for implementations, which means different cards can behave differently and cause errors.No curve is set by default
KeyPairs allocated withnew KeyPair(type, size)
might or might not have set some default domain parameters.
Which means using keypair.genKeyPair()
just after allocating a KeyPair object will probably result in an exception.
Thus, it is always better to explicitly setup custom domain parameters, using a known/standard curve, before trying to generate the KeyPair.
genKeyPair() required to get key parts
On some cards a newly allocated KeyPair does not yet contain the individual key parts (theECPublicKey
and ECPrivateKey
).
Thus doing keypair.getPrivate()
or keypair.getPublic()
will return null
. Which makes setting
custom domain parameters on the key parts harder. This can usually be fixed by calling keypair.genKeyPair()
, which however might throw an exception,
and then setting the custom domain parameters on the now accessible key parts.
clearKey() behaviour
Thekeypair.clearKey()
method might clear out the set domain parameters of the keypair as well as the key contents.
getK() behaviour
TheECKey.getK()
method might throw an exception if the card does not support working with the cofactor value.
Test suite runs#
The results of various test suites, run on a set of cards are available below:Docs#
- Test suites - Contains a list of implemented test suites and their descriptions.
- Curve categories - Contains a list of known curve categories and their descriptions.
- Libraries - Contains a list of software libraries with support for ECC, a brief description of their implementation and whether ECTester supports them.
- Implementations - Contains information on implementing ECC, curve models, scalar multiplication, coordinates and implementation choices between them.