mirage-crypto-ec: add Brainpool curves with 254/384/512 bits

This change adds the Brainpool curves, namely brainpoolP254r1,
brainpoolP384r1, brainpoolP512r1.  The implementation internally uses the
twisted versions of the curves (...t1) in order to use the same a=-3 EC
arithmetic as the NIST curves.  Point coordinates in regular form are
transformed to twisted form before calculations, and vice versa afterwards.

bench/speed.ml

@@ -76,6 +76,7 @@ let msg_str = String.make 100 '\xAA'
 
 let msg_str_32 = String.sub msg_str 0 32
 let msg_str_48 = String.sub msg_str 0 48
+let msg_str_64 = String.sub msg_str 0 64
 let msg_str_65 = String.sub msg_str 0 65
 
 module PSS = Mirage_crypto_pk.Rsa.PSS(Digestif.SHA256)
@@ -214,6 +215,27 @@ let ecdsa_p521 =
 
 let ecdsa_p521_sig () = Mirage_crypto_ec.P521.Dsa.sign ~key:ecdsa_p521 msg_str_65
 
+let ecdsa_brainpoolp256 =
+  Result.get_ok
+    (Mirage_crypto_ec.BrainpoolP256.Dsa.priv_of_octets
+       "\x08\x9f\x4f\xfc\xcc\xf9\xba\x13\xfe\xdd\x09\x42\xef\x08\xcf\x2d\x90\x9f\x32\xe2\x93\x4a\xb5\xc9\x3b\x6c\x99\xbe\x5a\x9f\xf5\x27")
+
+let ecdsa_brainpoolp256_sig () = Mirage_crypto_ec.BrainpoolP256.Dsa.sign ~key:ecdsa_brainpoolp256 msg_str_32
+
+let ecdsa_brainpoolp384 =
+  Result.get_ok
+    (Mirage_crypto_ec.BrainpoolP384.Dsa.priv_of_octets
+       "\x24\xdd\xf0\xfb\xb4\x1c\x28\x36\x5d\x30\x2d\xd9\xd2\x6f\xf9\xc3\x2c\x76\xc8\x5f\xa8\xb9\x13\x8a\x3e\xc6\x21\xd0\xca\xff\x6d\xe8\xa7\x24\xb4\x5d\x6f\xe0\xd9\x18\x00\x44\x24\x2b\x9f\x41\xc8\x4b")
+
+let ecdsa_brainpoolp384_sig () = Mirage_crypto_ec.BrainpoolP384.Dsa.sign ~key:ecdsa_brainpoolp384 msg_str_48
+
+let ecdsa_brainpoolp512 =
+  Result.get_ok
+    (Mirage_crypto_ec.BrainpoolP512.Dsa.priv_of_octets
+       "\x62\x80\xeb\x95\x40\x5f\xa8\xc0\xe9\xd9\x70\x54\x73\x01\xbb\xef\xb1\x52\xc8\xc8\x11\x4a\xbc\x73\x0c\x89\xbf\x6d\xb3\xf7\xd9\x49\xfc\xfd\x7e\xbb\x82\xfd\x2d\xbd\x43\xd2\x8d\x47\xbf\x4e\xd9\x5d\xe9\x7b\xae\xd1\x9f\x7d\x08\x7c\xf3\x03\xd2\xb0\xcd\x41\x37\x67")
+
+let ecdsa_brainpoolp512_sig () = Mirage_crypto_ec.BrainpoolP512.Dsa.sign ~key:ecdsa_brainpoolp512 msg_str_64
+
 let ed25519 =
   Result.get_ok (Mirage_crypto_ec.Ed25519.priv_of_octets
                    "\x3e\x0a\xb6\x82\x17\x12\x75\xc5\x69\xfc\xe9\xca\x8b\xcc\xd2\xd2\x77\x14\x54\xa2\x30\x0c\x35\x29\xf7\xa4\xd8\x0b\x84\x38\x83\xbc")
@@ -225,6 +247,9 @@ let ecdsas = [
   ("P256k1", `P256k1 (ecdsa_p256k1, ecdsa_p256k1_sig ()));
   ("P384", `P384 (ecdsa_p384, ecdsa_p384_sig ()));
   ("P521", `P521 (ecdsa_p521, ecdsa_p521_sig ()));
+  ("BrainpoolP256", `BrainpoolP256 (ecdsa_brainpoolp256, ecdsa_brainpoolp256_sig ()));
+  ("BrainpoolP384", `BrainpoolP384 (ecdsa_brainpoolp384, ecdsa_brainpoolp384_sig ()));
+  ("BrainpoolP512", `BrainpoolP512 (ecdsa_brainpoolp512, ecdsa_brainpoolp512_sig ()));
   ("Ed25519", `Ed25519 (ed25519, ed25519_sig ()));
 ]
 
@@ -238,6 +263,12 @@ let ecdh_shares =
                     "\x04\x04\x89\xcf\x24\xbc\x80\xbf\x89\xfd\xfe\x9c\x05\xec\xc3\x9f\x69\x16\xad\x45\x09\xd9\x39\x85\x97\x95\x0d\x3d\x24\xe8\x28\xf6\xbf\x56\xba\x4a\xd6\xd2\x1e\xd7\x86\x3b\xed\x68\xe4\x13\x36\x4b\xd4\xc7\xb1\xe9\x04\x7d\x36\x12\x4c\x69\x53\xbe\x7c\x61\x20\x9c\xb3\xfc\x56\x45\x2f\x73\x05\x29\x37\x83\xc7\xc0\xed\x92\x9d\x6c\x98\xc7\xbc\x97\xf6\x0a\x72\xed\x22\x69\xa8\xeb\x19\xbb\x7e\xe1\x31"));
     ("P521", `P521 (Mirage_crypto_ec.P521.Dh.secret_of_octets "\x00\xaa\x47\x0b\xa1\xcc\x84\x3b\xa3\x14\x82\x1e\x72\xde\x4c\xd2\x99\xae\xc1\xf2\x6e\x9d\x64\xa0\xd8\x7d\xb1\x8a\x3d\xa9\xf6\x5c\x45\xec\xfc\xc5\x61\x7f\xf0\xd7\x3b\x2e\x0e\x1c\xdf\xf8\x04\x8e\x01\xbe\x5e\x20\x14\x94\x12\xe7\xdb\xfa\xb7\xfe\xae\x24\x9b\x1b\xfa\x4d" |> Result.get_ok |> fst,
                     "\x04\x00\x1d\x16\x29\xee\xb1\xc4\x25\xf9\x04\xd7\x55\x33\x00\x79\xd1\x3c\x77\xda\x92\x1e\x01\xcf\x50\xd7\x17\xe0\xd6\x85\x0a\x81\xa3\x90\x2b\xb9\x2a\x03\xfa\xea\xcb\xd6\x28\x9c\x15\x90\x68\x5a\x60\x44\xb5\xe9\x4d\xcf\xc4\x1d\xeb\x6a\x88\xdb\x62\xa8\x91\xb0\xb8\x93\xbb\x00\xe4\x2a\x66\xb2\xf0\x13\xbd\xd0\xd2\x7d\x8e\x07\xcb\x35\xfc\x3e\x2c\x2b\x22\xf9\x3e\xcf\xd5\xea\xb7\x88\x61\x97\xca\x07\x3c\x2c\x5e\x68\x31\xd6\x5e\x2d\x0b\x8a\xa4\x08\x43\x8e\x49\x54\x2f\x05\xf4\x1c\x57\x6d\xf7\x0e\x3c\xaf\x5b\xb8\x22\x7d\x48\x30\x94\xae\x58"));
+    ("BrainpoolP256", `BrainpoolP256 (Mirage_crypto_ec.BrainpoolP256.Dh.secret_of_octets "\x47\x0d\x57\x70\x6c\x77\x06\xb6\x8a\x3f\x42\x3a\xea\xf4\xff\x7f\xdd\x02\x49\x4a\x10\xd3\xe3\x81\xc3\xc1\x1f\x72\x76\x80\x2c\xdc" |> Result.get_ok |> fst,
+                    "\x04\x4c\xee\x5e\x10\x72\xb3\x0d\x64\xf7\x0b\xf0\x19\x58\xe2\x2c\x04\x4a\x21\x27\xdd\xd7\x44\xce\x30\x60\xc1\x59\x90\xff\x0f\xe1\x14\x8c\x6e\xe5\x65\x59\x82\x9a\x5a\x84\xdd\x5c\x86\x46\xee\x0c\x43\xd0\xb7\xc5\x01\x81\xf2\x34\xec\x09\xeb\xa4\x3b\xc8\x6b\x16\x9e"));
+    ("BrainpoolP384", `BrainpoolP384 (Mirage_crypto_ec.BrainpoolP384.Dh.secret_of_octets "\x24\xdd\xf0\xfb\xb4\x1c\x28\x36\x5d\x30\x2d\xd9\xd2\x6f\xf9\xc3\x2c\x76\xc8\x5f\xa8\xb9\x13\x8a\x3e\xc6\x21\xd0\xca\xff\x6d\xe8\xa7\x24\xb4\x5d\x6f\xe0\xd9\x18\x00\x44\x24\x2b\x9f\x41\xc8\x4b" |> Result.get_ok |> fst,
+                    "\x04\x70\xff\xb3\x50\x17\x32\x56\xeb\x43\x7b\x14\x03\x65\x84\x23\x97\xeb\xaf\x36\x11\xb6\x38\x95\x96\xc1\xf1\x7c\x5f\xf5\xce\x52\x01\xf2\x4f\x69\x85\xb8\xfe\x08\x90\xdc\xae\x54\xb2\x60\x3d\xfb\x40\x87\x24\x2a\xaf\x7b\x2d\x95\xb3\x19\x9b\xfa\x03\xe8\xfc\xe5\x4e\xf6\x80\xb5\x71\x09\x84\x72\x74\xdb\x3b\x3a\x65\x51\x2b\x7f\x83\x22\x48\xe7\x0b\x10\x30\xe9\x5d\xb6\x42\x95\x89\x77\x5c\x33\x46"));
+    ("BrainpoolP512", `BrainpoolP512 (Mirage_crypto_ec.BrainpoolP512.Dh.secret_of_octets "\x62\x80\xeb\x95\x40\x5f\xa8\xc0\xe9\xd9\x70\x54\x73\x01\xbb\xef\xb1\x52\xc8\xc8\x11\x4a\xbc\x73\x0c\x89\xbf\x6d\xb3\xf7\xd9\x49\xfc\xfd\x7e\xbb\x82\xfd\x2d\xbd\x43\xd2\x8d\x47\xbf\x4e\xd9\x5d\xe9\x7b\xae\xd1\x9f\x7d\x08\x7c\xf3\x03\xd2\xb0\xcd\x41\x37\x67" |> Result.get_ok |> fst,
+                    "\x04\x8a\x73\xa6\x66\x05\xa5\xdb\x25\x2e\xf4\x18\xff\x2c\x43\x96\x9b\xd4\x12\x81\x87\xce\x43\x1c\x36\xa3\x3d\x3f\xf3\x03\x4c\xf8\x91\x0f\xb0\x02\x1c\xe8\x49\x72\x36\x21\x19\x9d\x0d\x7e\xa4\x80\x5f\x3c\xda\xb8\x2f\x6c\x90\x92\x57\x76\x2d\xa2\xa9\x7e\x26\x30\x5b\x07\x8c\x1f\xd7\x91\xfa\x95\x7e\x97\x5e\x30\xdf\x5b\x87\x60\x54\x75\x82\x67\x12\x9e\x49\x74\xa0\x83\x37\x2b\x0c\xe0\x71\x18\x0d\x05\xe1\x97\x8b\xd9\x0b\x84\x07\xc0\xa7\xff\x7f\x66\x51\xbd\x3f\xfc\xf1\xa5\x74\xdf\xe9\x5a\x2e\x8a\xf3\x86\x6c\xbb\x38\x5d\x21"));
     ("X25519", `X25519 (Mirage_crypto_ec.X25519.secret_of_octets "\x4c\x6d\xb7\xcf\x93\x5b\xcf\x84\x02\x61\x78\xd4\x0c\x95\x6a\xf0\x9d\x8e\x36\x32\x03\x49\x0d\x2c\x41\x62\x5a\xcb\x68\xb9\x31\xa4" |> Result.get_ok |> fst,
                         "\xca\x19\x19\x3c\xf5\xc0\xb3\x8c\x61\xaa\x01\xc1\x72\xb2\xe9\x3d\x16\xf7\x50\xd0\x84\x62\x77\xad\x32\x2d\xe5\xe4\xfb\x33\x24\x29"));
   ]
@@ -316,6 +347,9 @@ let benchmarks = [
            | `P256k1 _ -> P256k1.Dsa.generate () |> ignore
            | `P384 _ -> P384.Dsa.generate () |> ignore
            | `P521 _ -> P521.Dsa.generate () |> ignore
+           | `BrainpoolP256 _ -> BrainpoolP256.Dsa.generate () |> ignore
+           | `BrainpoolP384 _ -> BrainpoolP384.Dsa.generate () |> ignore
+           | `BrainpoolP512 _ -> BrainpoolP512.Dsa.generate () |> ignore
            | `Ed25519 _ -> Ed25519.generate () |> ignore
         )
         fst ecdsas);
@@ -327,6 +361,9 @@ let benchmarks = [
           | `P256k1 (key, _) -> P256k1.Dsa.sign ~key msg_str_32
           | `P384 (key, _) -> P384.Dsa.sign ~key msg_str_48
           | `P521 (key, _) -> P521.Dsa.sign ~key msg_str_65
+          | `BrainpoolP256 (key, _) -> BrainpoolP256.Dsa.sign ~key msg_str_32
+          | `BrainpoolP384 (key, _) -> BrainpoolP384.Dsa.sign ~key msg_str_48
+          | `BrainpoolP512 (key, _) -> BrainpoolP512.Dsa.sign ~key msg_str_64
           | `Ed25519 (key, _) -> Ed25519.sign ~key msg_str, ""
         )
         fst ecdsas);
@@ -338,6 +375,9 @@ let benchmarks = [
           | `P256k1 (key, signature) -> P256k1.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_32)
           | `P384 (key, signature) -> P384.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_48)
           | `P521 (key, signature) -> P521.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_65)
+          | `BrainpoolP256 (key, signature) -> BrainpoolP256.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_32)
+          | `BrainpoolP384 (key, signature) -> BrainpoolP384.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_48)
+          | `BrainpoolP512 (key, signature) -> BrainpoolP512.Dsa.(verify ~key:(pub_of_priv key) signature msg_str_64)
           | `Ed25519 (key, signature) -> Ed25519.(verify ~key:(pub_of_priv key) signature ~msg:msg_str)
         ) fst ecdsas);
 
@@ -357,6 +397,9 @@ let benchmarks = [
           | `P256k1 _ -> P256k1.Dh.gen_key () |> ignore
           | `P384 _ -> P384.Dh.gen_key () |> ignore
           | `P521 _ -> P521.Dh.gen_key () |> ignore
+          | `BrainpoolP256 _ -> BrainpoolP256.Dh.gen_key () |> ignore
+          | `BrainpoolP384 _ -> BrainpoolP384.Dh.gen_key () |> ignore
+          | `BrainpoolP512 _ -> BrainpoolP512.Dh.gen_key () |> ignore
           | `X25519 _ -> X25519.gen_key () |> ignore)
         fst ecdh_shares);
 
@@ -367,6 +410,9 @@ let benchmarks = [
           | `P256k1 (sec, share) -> P256k1.Dh.key_exchange sec share |> Result.get_ok |> ignore
           | `P384 (sec, share) -> P384.Dh.key_exchange sec share |> Result.get_ok |> ignore
           | `P521 (sec, share) -> P521.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `BrainpoolP256 (sec, share) -> BrainpoolP256.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `BrainpoolP384 (sec, share) -> BrainpoolP384.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `BrainpoolP512 (sec, share) -> BrainpoolP512.Dh.key_exchange sec share |> Result.get_ok |> ignore
           | `X25519 (sec, share) -> X25519.key_exchange sec share  |> Result.get_ok |> ignore)
         fst ecdh_shares);
 

ec/dune

@@ -5,7 +5,8 @@
  (foreign_stubs
   (language c)
   (names p256_stubs np256_stubs p384_stubs np384_stubs p521_stubs np521_stubs
-    curve25519_stubs secp256k1_stubs)
+    curve25519_stubs secp256k1_stubs brainpoolp256_stubs nbrainpoolp256_stubs
+    brainpoolp384_stubs nbrainpoolp384_stubs brainpoolp512_stubs nbrainpoolp512_stubs)
   (include_dirs ../src/native)
   (flags
    (:standard -DNDEBUG)

ec/gen_tables/gen_tables.ml

@@ -89,6 +89,9 @@ let curves =
       ("p256", (module P256 : Dh_dsa));
       ("p384", (module P384));
       ("p521", (module P521));
+      ("brainpoolp256", (module BrainpoolP256));
+      ("brainpoolp384", (module BrainpoolP384));
+      ("brainpoolp512", (module BrainpoolP512));
     ]
 
 let usage () =