Expand description
NIST P-521 Elliptic Curve Primitives
This module implements the NIST P-521 elliptic curve operations in constant time. The curve equation is y² = x³ - 3x + b over the prime field F_p where:
- p = 2^521 - 1 (NIST P-521 prime, a Mersenne prime)
- The curve order n = 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
All operations are implemented to be constant-time to prevent timing attacks. The implementation uses:
- Mersenne reduction for field arithmetic (2^521 ≡ 1 mod p)
- Jacobian projective coordinates for efficient point operations
- Binary scalar multiplication with constant-time point selection
Structs§
- Field
Element - P-521 field element representing values in Fₚ (p = 2^521 − 1). Internally stored as 17 little-endian 32-bit limbs; only the low 9 bits of limb 16 are significant.
- Point
- P-521 elliptic curve point in affine coordinates (x, y)
- Scalar
- P-521 scalar value for use in elliptic curve operations. Represents integers modulo the curve order n. Used for private keys and scalar multiplication. Automatically zeroized on drop for security.
Enums§
- Point
Format - Format of a serialized elliptic curve point
Constants§
- P521_
FIELD_ ELEMENT_ SIZE - Size of a P-521 field element in bytes (66 bytes)
- P521_
KEM_ SHARED_ SECRET_ KDF_ OUTPUT_ SIZE - Size of the KDF output for P-521 ECDH-KEM shared secret derivation (e.g., for HKDF-SHA512)
- P521_
POINT_ COMPRESSED_ SIZE - Size of a compressed P-521 point in bytes: format byte (0x02/0x03) + x-coordinate
- P521_
POINT_ UNCOMPRESSED_ SIZE - Size of an uncompressed P-521 point in bytes: format byte (0x04) + x-coordinate + y-coordinate
- P521_
SCALAR_ SIZE - Size of a P-521 scalar in bytes (66 bytes)
Functions§
- base_
point_ g - Get the standard base point G of the P-521 curve
- generate_
keypair - Generate a cryptographically secure ECDH keypair
- kdf_
hkdf_ sha512_ for_ ecdh_ kem - Key derivation function for ECDH shared secret using HKDF-SHA512
- scalar_
mult - General scalar multiplication: compute scalar * point
- scalar_
mult_ base_ g - Scalar multiplication with the base point: scalar * G