1/* New ECC curves,
2
3   14 Apr 2001 (REC) ensured x1Minus arithmetic & prime point orders
4    5 Apr 2001 (REC) factored minusorder for NIST-P-192
5    3 Apr 2001 (REC) first draft
6
7   c. 2001 Apple Computer, Inc.
8   All Rights Reserved.
9
10   Currently there are 7 (seven) curves, at varying
11   bit-depth and varying parameter types:
12
13   FEE curves (use Montgomery arithmetic and feemod base-prime):
14				31 bits
15				127 bits
16   IEEE curves (use projective arithmetic):
17				31 bits  (feemod base-prime)
18                128 bits (feemod base-prime)
19				161 bits (feemod base-prime) (default preference)
20				161 bits (general prime)
21				192 bits (general. prime) (NIST-recommended)
22
23   Each curve is given key comments atop the parameters.
24   For performance considerations,
25
26       primeType->Mersenne is faster than primeType->feemod is
27           faster than primeType->general
28
29       curveType->Montgomery is faster than curveType->Weierstrass,
30
31   Some choices are not obvious except to cryptographers;
32   e.g., the two curves given for 161 bits exist because
33   of cryptographic controversies; probably the curve with
34   both orders prime is more secure, so it is perhaps
35   the curve of choice at 161 bits.
36
37   The parameters/points have standard meaning, except for our
38   special entities as listed below.  It is important to note the
39   principle thgat, without exception, every CryptKit base prime
40   p is = 3 (mod 4).  This allows simple square-rooting in the field
41   F_p.  Because of this universal constraint, (-1) is always a
42   quadratic nonresidue and so twist curves as below can assume
43   g = -1.
44
45     (...)plusOrder :=  The usual elliptic-curve order;
46     (...)x1Plus := x-coordinate on y^2 = x^3 + c x^2 + a x + b;
47     (...)x1OrderPlus := Order of x1Plus, always divides plusOrder
48     (...)minusOrder := Order of the twist curve = 2p+2-plusOrder
49     (...)x1Minus := x-coordinate chosen on the twist curve
50             g y^2 = x^3 + c x^2 + a x + b
51         where g = -1 is the nonresidue, and such that
52         the special, x-coordinates-only, twofold-ambiguous "add" of
53         FEED works on the minus curve, using the same curve
54         parameters a,b,c as for the plus curve.  Note that
55         x1Minus is to be chosen so that the correct "add" arithmetic
56         occurs, and also so that the desired point order accrues.
57     (...)x1OrderMinus := Order of x1Plus, always divides minusOrder.
58
59    In each of the curves specified below, the plusOrder (at least)
60    is prime, while each of the point orders x1OrderPlus/Minus
61    is always prime.
62
63   Note that the older labels Atkin3, Atkin4 have been abolished.
64
65 */
66
67 /* FEE CURVE: USE FOR FEE SIG. & FEED ONLY.
68  * primeType->Mersenne
69  * curveType->Montgomery
70  * q = 31;   k = 1;  p = 2^q - k;
71  * a = 1;   b = 0;   c = 666;
72  * Both orders composite.
73  */
74static const arrayDigit ga_31m_x1Plus[]   =
75	{2, 61780, 6237};
76	/* 408809812 */
77static const arrayDigit ga_31m_x1Minus[]  =
78	{2,12973,30585};
79	/* 2004431533 */
80static const arrayDigit ga_31m_plusOrder[]  =
81	{2, 25928, 32768 };
82	/* 2147509576 = 2^3 * 268438697. */
83static const arrayDigit ga_31m_minusOrder[]  =
84	{2, 39608, 32767 };
85	/* 2147457720 = 2^3 * 3 * 5 * 17895481. */
86static const arrayDigit ga_31m_x1OrderPlus[] =
87	{2, 3241, 4096};
88	/* 268438697 */
89static const arrayDigit ga_31m_x1OrderMinus[]  =
90	{2, 4153, 273};
91	/* 17895481 */
92static const arrayDigit ga_31m_x1OrderPlusRecip[]  =
93	{2, 52572, 16383};
94static const arrayDigit ga_31m_lesserX1OrderRecip[]  =
95	{2, 759, 960};
96
97 /* IEEE P1363 COMPATIBLE.
98  * primeType->Mersenne
99  * curveType->Weierstrass
100  * q = 31;   k = 1; p = 2^q-k;
101  * a = 5824692    b = 2067311435   c = 0
102  * Both orders prime.
103  */
104static const arrayDigit ga_31w_x1Plus[]   =
105	{1, 6 };
106static const arrayDigit ga_31w_x1Minus[]  =
107	{1, 7 };
108static const arrayDigit ga_31w_plusOrder[]  =
109	{2,59003,32766 };
110	/* 2147411579 */
111static const arrayDigit ga_31w_minusOrder[]  =
112	{2,6533,32769 };
113	/* 2147555717 */
114static const arrayDigit ga_31w_x1OrderPlus[] =
115	{2,59003,32766};
116	/* 2147411579 */
117static const arrayDigit ga_31w_x1OrderMinus[]  =
118	{2,6533,32769};
119	/* 2147555717 */
120static const arrayDigit ga_31w_x1OrderPlusRecip[]  =
121	{2, 6535, 32769};
122
123static const arrayDigit ga_31w_a[]  =
124	{2,57524,88};
125	/* 5824692 */
126static const arrayDigit ga_31w_b[]  =
127	{2,43851,31544};
128	/* 2067311435 */
129
130 /* FEE CURVE: USE FOR FEE SIG. & FEED ONLY.
131  * primeType->Mersenne
132  * curveType->Montgomery
133  * q = 127;   k = 1;  p = 2^q - k;
134  * a = 1;   b = 0;   c = 666;
135  * Both orders composite.
136  */
137static const arrayDigit ga_127m_x1Plus[]  =
138	{8,     24044, 39922, 11050,
139	 24692, 34049, 9793,  1228, 31562};
140	/* 163879370753099435779911346846180728300 */
141static const arrayDigit ga_127m_x1Minus[] =
142	{8,49015,6682,26772,63672,45560,46133,24769,8366};
143	/* 43440717976631899041527862406676135799 */
144static const arrayDigit ga_127m_plusOrder[]  =
145	{ 8,     14612, 61088, 34331,
146	  32354, 65535, 65535, 65535,
147	  32767};
148	/* 170141183460469231722347548493196835092 =
1492^2 * 3^4 * 71 * 775627 * 9535713005180210505588285449. */
150static const arrayDigit ga_127m_minusOrder[] =
151	{ 8,     50924, 4447, 31204,
152	  33181, 0,     0,    0,
153	  32768 };
154	/* 170141183460469231741027058938571376364 =
1552^2 * 17 * 743 * 1593440383 * 2113371777483973234080067. */
156static const arrayDigit ga_127m_x1OrderPlus[] =
157	{6,     8201,  61942, 37082,
158	 53787, 49605, 7887 };
159	/* 9535713005180210505588285449 */
160static const arrayDigit ga_127m_x1OrderMinus[] =
161	{6,    14659, 1977,16924,
162	 7446, 49030, 1};
163	/* 2113371777483973234080067 */
164static const arrayDigit ga_127m_x1OrderPlusRecip[]  =
165	{6, 21911, 8615, 0, 40960, 64107, 8507};
166static const arrayDigit ga_127m_lesserX1OrderRecip[]  =
167	{6, 44759, 65533, 17695, 61560, 18883, 2};
168
169 /* IEEE P1363 COMPATIBLE.
170  * primeType->feemod
171  * curveType->Weierstrass
172  * q = 127;  k = -57675; p = 2^q - k;
173  * a = 170141183460469025572049133804586627403;
174  * b = 170105154311605172483148226534443139403;    c = 0;
175  * Both orders prime.:
176  */
177static const arrayDigit ga_128w_x1Plus[] =
178	{1,6};
179	/* 6 */
180static const arrayDigit ga_128w_x1Minus[] =
181	{1,3};
182	/* 3 */
183static const arrayDigit ga_128w_plusOrder[] =
184	{8,40455,13788,48100,24190,1,0,0,32768};
185	/* 170141183460469231756943134065055014407. */
186static const arrayDigit ga_128w_minusOrder[] =
187	{8,9361,51749,17435,41345,65534,65535,65535,32767};
188	/* 170141183460469231706431473366713312401. */
189static const arrayDigit ga_128w_x1OrderPlus[] =
190	{8,40455,13788,48100,24190,1,0,0,32768};
191	/* 170141183460469231756943134065055014407. */
192static const arrayDigit ga_128w_x1OrderMinus[] =
193	{8,9361,51749,17435,41345,65534,65535,65535,32767};
194	/* 170141183460469231706431473366713312401. */
195static const arrayDigit ga_128w_x1OrderPlusRecip[] =
196	{9,34802,10381,4207,34309,65530,65535,65535,65535,1};
197static const arrayDigit ga_128w_lesserX1OrderRecip[] =
198	{8,56178,13786,48100,24190,1,0,0,32768};
199
200static const arrayDigit ga_128w_a[] =
201	{8,29003,44777,29962,4169,54360,65535,65535,32767};
202	/* 170141183460469025572049133804586627403; */
203static const arrayDigit ga_128w_b[] =
204	{8,16715,42481,16221,60523,56573,13644,4000,32761};
205	/* 170105154311605172483148226534443139403. */
206
207 /* IEEE P1363 COMPATIBLE.
208  * primeType->feemod
209  * curveType->Weierstrass
210  * q = 160;  k = -5875; p = 2^q - k;
211  * a = 1461501637330902918203684832716283019448563798259;
212  * b = 36382017816364032;    c = 0;
213  * Both orders prime.:
214  */
215static const arrayDigit ga_161w_x1Plus[] =
216	{1,7};
217	/* 7 */
218static const arrayDigit ga_161w_x1Minus[] =
219	{1,4};
220	/* 4 */
221static const arrayDigit ga_161w_plusOrder[] =
222	{11,50651,30352,49719,403,64085,1,0,0,0,0,1};
223	/* 1461501637330902918203687223801810245920805144027. */
224static const arrayDigit ga_161w_minusOrder[] =
225	{10,26637,35183,15816,65132,1450,65534,65535,65535,65535,65535};
226	/* 1461501637330902918203682441630755793391059953677. */
227static const arrayDigit ga_161w_x1OrderPlus[] =
228	{11,50651,30352,49719,403,64085,1,0,0,0,0,1};
229	/* 1461501637330902918203687223801810245920805144027. */
230static const arrayDigit ga_161w_x1OrderMinus[] =
231	{10,26637,35183,15816,65132,1450,65534,65535,65535,65535,65535};
232	/* 1461501637330902918203682441630755793391059953677. */
233static const arrayDigit ga_161w_x1OrderPlusRecip[] =
234	{11,59555,9660,63266,63920,5803,65528,65535,65535,65535,65535,3};
235/* added by dmitch */
236static const arrayDigit ga_161w_lesserX1OrderRecip[] =
237	{12,38902,30352,49719,403,64085,1,0,0,0,0,1,0};
238/* end addenda */
239
240static const arrayDigit ga_161w_a[] =  {10,4339,47068,65487,65535,65535,65535,65535,65535,65535,65535};
241/* 1461501637330902918203684832716283019448563798259; */
242static const arrayDigit ga_161w_b[] =    {4,1024,41000,16704,129};
243/* 36382017816364032. */
244
245 /* IEEE P1363 COMPATIBLE.
246  * primeType->General
247  * curveType->Weierstrass
248  * p is a 161-bit random prime (below, ga_161_gen_bp[]);
249  * a = -152;   b = 722;    c = 0;
250  * Both orders composite.:
251  */
252static const arrayDigit ga_161_gen_bp[] =
253	{11,41419,58349,36408,14563,25486,9098,29127,50972,7281,8647,1};
254	/* baseprime = 1654338658923174831024422729553880293604080853451 */
255static const arrayDigit ga_161_gen_x1Plus[] =
256	{10,59390,38748,49144,50217,32781,46057,53816,62856,18968,55868};
257	/* 1245904487553815885170631576005220733978383542270 */
258static const arrayDigit ga_161_gen_x1Minus[] =
259	{10,12140,40021,9852,49578,18446,39468,28773,10952,26720,52624};
260   /* 1173563507729187954550227059395955904200719019884 */
261static const arrayDigit ga_161_gen_plusOrder[] =
262	{11,41420,58349,36408,14563,25486,9100,29127,50972,7281,8647,1};
263	/* 1654338658923174831024425147405519522862430265804 =
264   2^2 * 23 * 359 * 479 * 102107 * 1024120625531724089187207582052247831. */
265static const arrayDigit ga_161_gen_minusOrder[] =
266	{11,41420,58349,36408,14563,25486,9096,29127,50972,7281,8647,1};
267	/* 1654338658923174831024420311702241064345731441100 =
2682^2 * 5^2 * 17^2 * 57243552211874561627142571339177891499852299. */
269static const arrayDigit ga_161_gen_x1OrderPlus[] =
270	{8,59671,64703,58305,55887,34170,37971,15627,197};
271	/* 1024120625531724089187207582052247831 */
272static const arrayDigit ga_161_gen_x1OrderMinus[] =
273	{10,49675,56911,64364,6281,5543,59511,52057,44604,37151,2};
274	/* 57243552211874561627142571339177891499852299 */
275static const arrayDigit ga_161_gen_x1OrderPlusRecip[] =
276	{8, 7566, 37898, 14581, 2404, 52670, 23839, 17554, 332};
277
278static const arrayDigit ga_161_gen_a[] =    {-1, 152};	/* a = -152 */
279static const arrayDigit ga_161_gen_b[] =    { 1, 722};	/* b = 722 */
280
281
282 /* IEEE P1363 COMPATIBLE.
283  * (NIST-P-192 RECOMMENDED PRIME)
284  * primeType->General
285  * curveType->Weierstrass
286  * p is a 192-bit prime (with efficient bit structure) (below, ga_192_gen_bp[]);
287  * a = -3;   b = 2455155546008943817740293915197451784769108058161191238065;    c = 0;
288  * Plus-order is prime, minus-order is composite.
289  */
290static const arrayDigit ga_192_gen_bp[] =
291	{12,65535,65535,65535,65535,65534,65535,65535,65535,65535,65535,65535,65535};
292	/* baseprime =
2936277101735386680763835789423207666416083908700390324961279 */
294static const arrayDigit ga_192_gen_x1Plus[] =
295	{1,3};
296	/* 3 */
297static const arrayDigit ga_192_gen_x1Minus[] =
298	{12,25754,63413,46363,42413,24848,21836,55473,50853,40413,10264,8715,59556};
299	/*  5704344264203732742656350325931731344592841761552300598426 */
300static const arrayDigit ga_192_gen_plusOrder[] =
301	{12,10289,46290,51633,5227,63542,39390,65535,65535,65535,65535,65535,65535};
302	/* 6277101735386680763835789423176059013767194773182842284081 */
303static const arrayDigit ga_192_gen_minusOrder[] =
304	{13,55247,19245,13902,60308,1991,26145,0,0,0,0,0,0,1};
305	/* 6277101735386680763835789423239273818400622627597807638479 =
306       23 * 10864375060560251605900677743 *
307            25120401793443689936479125511   */
308static const arrayDigit ga_192_gen_x1OrderPlus[] =
309	{12,10289,46290,51633,5227,63542,39390,65535,65535,65535,65535,65535,65535};
310	/* 6277101735386680763835789423176059013767194773182842284081 */
311static const arrayDigit ga_192_gen_x1OrderMinus[] =
312	{12,16649,40728,9152,53911,59923,9684,22795,17096,45590,34192,25644,2849};
313	/* 272917466755942641905903887966924948626114027286861201673 =
31410864375060560251605900677743 * 25120401793443689936479125511
315*/
316static const arrayDigit ga_192_gen_x1OrderPlusRecip[] =
317	{13,55247,19245,13902,60308,1993,26145,0,0,0,0,0,0,1};
318static const arrayDigit ga_192_gen_lesserX1OrderRecip[] =
319{12,57756,63294,44830,2517,2125,63187,65535,65535,65535,65535,65535,5887};
320
321static const arrayDigit ga_192_gen_a[] =    {-1, 3}; /* a = -3. */
322static const arrayDigit ga_192_gen_b[] =
323{12,47537,49478,57068,65208,12361,29220,59819,4007,32999,58780,1305,25633};
324/* b = 2455155546008943817740293915197451784769108058161191238065. */
325
326/***
327 *** ANSI X9.62/Certicom curves
328 ***/
329
330/*
331 * secp192r1
332 *
333 * p     = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF
334 *		 = 6277101735386680763835789423207666416083908700390324961279 (d)
335 * a     = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC
336 *		 = 6277101735386680763835789423207666416083908700390324961276
337 * b     = 64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1
338 *		 = 2455155546008943817740293915197451784769108058161191238065
339 * x     = 188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012
340 *		 = 602046282375688656758213480587526111916698976636884684818
341 * y     = 07192B95FFC8DA78631011ED6B24CDD573F977A11E794811
342 *		 = 174050332293622031404857552280219410364023488927386650641
343 * order = FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831
344 *		 = 6277101735386680763835789423176059013767194773182842284081
345 * x1OrderRecip = 1000000000000000000000000662107c9eb94364e4b2dd7cf
346 */
347static const arrayDigit ga_192_secp_bp[] =
348	{12, 0xffff, 0xffff, 0xffff, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
349static const arrayDigit ga_192_secp_x1Plus[] =
350	{12, 0x1012, 0x82ff, 0xafd, 0xf4ff, 0x8800, 0x43a1, 0x20eb, 0x7cbf, 0x90f6, 0xb030, 0xa80e, 0x188d};
351static const arrayDigit ga_192_secp_y1Plus[] =
352	{12, 0x4811, 0x1e79, 0x77a1, 0x73f9, 0xcdd5, 0x6b24, 0x11ed, 0x6310, 0xda78, 0xffc8, 0x2b95, 0x719};
353static const arrayDigit ga_192_secp_plusOrder[] =
354	{12, 0x2831, 0xb4d2, 0xc9b1, 0x146b, 0xf836, 0x99de, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
355/* the curve order is prime, so x1Order = curveOrder */
356static const arrayDigit ga_192_secp_x1OrderPlus[] =
357	{12, 0x2831, 0xb4d2, 0xc9b1, 0x146b, 0xf836, 0x99de, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
358static const arrayDigit ga_192_secp_x1OrderPlusRecip[] =
359	{13, 0xd7cf, 0x4b2d, 0x364e, 0xeb94, 0x7c9, 0x6621, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1};
360static const arrayDigit ga_192_secp_a[] =
361	{12, 0xfffc, 0xffff, 0xffff, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
362static const arrayDigit ga_192_secp_b[] =
363	{12, 0xb9b1, 0xc146, 0xdeec, 0xfeb8, 0x3049, 0x7224, 0xe9ab, 0xfa7, 0x80e7, 0xe59c, 0x519, 0x6421};
364
365
366/*
367 * secp256r1
368 *
369 * p     = FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
370 *		 = 115792089210356248762697446949407573530086143415290314195533631308867097853951
371 * a     = FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC
372 *		 = 115792089210356248762697446949407573530086143415290314195533631308867097853948
373 * b     = 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
374 *		 = 41058363725152142129326129780047268409114441015993725554835256314039467401291
375 * x     = 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296
376 *		 = 48439561293906451759052585252797914202762949526041747995844080717082404635286
377 * y     = 4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5
378 *		 = 36134250956749795798585127919587881956611106672985015071877198253568414405109
379 * order = FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
380 *		 = 115792089210356248762697446949407573529996955224135760342422259061068512044369
381 *                FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
382 * x1OrderRecip = 100000000fffffffffffffffeffffffff43190552df1a6c21012ffd85eedf9bfe
383 */
384static const arrayDigit ga_256_secp_bp[] =
385	{16, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0,
386	 0x0, 0x1, 0x0, 0xffff, 0xffff};
387static const arrayDigit ga_256_secp_x1Plus[] =
388	{16, 0xc296, 0xd898, 0x3945, 0xf4a1, 0x33a0, 0x2deb, 0x7d81, 0x7703, 0x40f2,
389	0x63a4, 0xe6e5, 0xf8bc, 0x4247, 0xe12c, 0xd1f2, 0x6b17};
390static const arrayDigit ga_256_secp_y1Plus[] =
391	{16, 0x51f5, 0x37bf, 0x4068, 0xcbb6, 0x5ece, 0x6b31, 0x3357, 0x2bce, 0x9e16,
392	0x7c0f, 0xeb4a, 0x8ee7, 0x7f9b, 0xfe1a, 0x42e2, 0x4fe3};
393static const arrayDigit ga_256_secp_plusOrder[] =
394	{16, 0x2551, 0xfc63, 0xcac2, 0xf3b9, 0x9e84, 0xa717, 0xfaad, 0xbce6, 0xffff,
395	0xffff, 0xffff, 0xffff, 0x0, 0x0, 0xffff, 0xffff};
396static const arrayDigit ga_256_secp_x1OrderPlus[] =
397	{16, 0x2551, 0xfc63, 0xcac2, 0xf3b9, 0x9e84, 0xa717, 0xfaad, 0xbce6, 0xffff,
398	0xffff, 0xffff, 0xffff, 0x0, 0x0, 0xffff, 0xffff};
399static const arrayDigit ga_256_secp_x1OrderPlusRecip[] =
400	{17, 0x9bfe, 0xeedf, 0xfd85, 0x12f, 0x6c21, 0xdf1a, 0x552, 0x4319, 0xffff,
401	0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x1};
402static const arrayDigit ga_256_secp_a[] =
403	{16, 0xfffc, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0,
404	 0x0, 0x1, 0x0, 0xffff, 0xffff};
405static const arrayDigit ga_256_secp_b[] =
406	{16, 0x604b, 0x27d2, 0x3c3e, 0x3bce, 0xb0f6, 0xcc53, 0x6b0, 0x651d, 0x86bc,
407	 0x7698, 0xbd55, 0xb3eb, 0x93e7, 0xaa3a, 0x35d8, 0x5ac6};
408
409/*
410 * secp384r1
411 *
412 * p     = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF\
413 *		   0000000000000000FFFFFFFF
414 *		 = 394020061963944792122790401001436138050797392704654466679482934042457217\
415 *		   71496870329047266088258938001861606973112319
416 * a     = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF\
417 *		   0000000000000000FFFFFFFC
418 *		 = 394020061963944792122790401001436138050797392704654466679482934042457217\
419 *		   71496870329047266088258938001861606973112316
420 * b     = B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D\
421 *		   8A2ED19D2A85C8EDD3EC2AEF
422 *		 = 275801935599597058778490118403890480930569058563615685214287073019886892\
423 *		   41309860865136260764883745107765439761230575
424 * x     = AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25D\
425 *		   BF55296C3A545E3872760AB7
426 *		 = 262470350957996892686231567445669818918529234911092133878156159009255188\
427 *		   54738050089022388053975719786650872476732087
428 * y     = 3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE\
429 *		   1D7E819D7A431D7C90EA0E5F
430 *		 = 832571096148902998554675128952010817928785304886131559470920590248050319\
431 *		   9884419224438643760392947333078086511627871
432 * order = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB2\
433 *		   48B0A77AECEC196ACCC52973
434 *		 = 394020061963944792122790401001436138050797392704654466679469052796276593\
435 *		   99113263569398956308152294913554433653942643
436 */
437static const arrayDigit ga_384_secp_bp[] =
438	{24, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0xffff, 0xffff, 0xfffe, 0xffff,
439	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
440	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
441static const arrayDigit ga_384_secp_x1Plus[] =
442	{24, 0xab7, 0x7276, 0x5e38, 0x3a54, 0x296c, 0xbf55, 0xf25d, 0x5502, 0x2a38,
443	0x8254, 0x41e0, 0x59f7, 0x9b98, 0x8ba7, 0x3b62, 0x6e1d, 0xad74, 0xf320,
444	0xc71e, 0x8eb1, 0x537, 0xbe8b, 0xca22, 0xaa87};
445static const arrayDigit ga_384_secp_y1Plus[] =
446	{24, 0xe5f, 0x90ea, 0x1d7c, 0x7a43, 0x819d, 0x1d7e, 0xb1ce, 0xa60, 0xb8c0,
447	 0xb5f0, 0x3113, 0xe9da, 0x147c, 0x289a, 0x1dbd, 0xf8f4, 0xdc29, 0x9292,
448	 0x98bf, 0x5d9e, 0x2c6f, 0x9626, 0xde4a, 0x3617};
449static const arrayDigit ga_384_secp_plusOrder[] =
450	{24, 0x2973, 0xccc5, 0x196a, 0xecec, 0xa77a, 0x48b0, 0xdb2, 0x581a, 0x2ddf,
451	0xf437, 0x4d81, 0xc763, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
452	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
453static const arrayDigit ga_384_secp_x1OrderPlus[] =
454	{24, 0x2973, 0xccc5, 0x196a, 0xecec, 0xa77a, 0x48b0, 0xdb2, 0x581a, 0x2ddf,
455	0xf437, 0x4d81, 0xc763, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
456	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
457static const arrayDigit ga_384_secp_x1OrderPlusRecip[] =
458	{25, 0xd68d, 0x333a, 0xe695, 0x1313, 0x5885, 0xb74f, 0xf24d, 0xa7e5, 0xd220, 0xbc8,
459	0xb27e, 0x389c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1};
460static const arrayDigit ga_384_secp_a[] =
461	{24, 0xfffc, 0xffff, 0x0, 0x0, 0x0, 0x0, 0xffff, 0xffff, 0xfffe, 0xffff,
462	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
463	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff};
464static const arrayDigit ga_384_secp_b[] =
465	{24, 0x2aef, 0xd3ec, 0xc8ed, 0x2a85, 0xd19d, 0x8a2e, 0x398d, 0xc656, 0x875a,
466	 0x5013, 0x88f, 0x314, 0x4112, 0xfe81, 0x9c6e, 0x181d, 0x2d19, 0xe3f8, 0x56b,
467	 0x988e, 0xe7e4, 0xe23e, 0x2fa7, 0xb331};
468
469/*
470 * secp521r1
471 * p     = 01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\
472 *		   FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
473 *		 = 686479766013060971498190079908139321726943530014330540939446345918554318\
474 *		   339765605212255964066145455497729631139148085803712198799971664381257402\
475 *		   8291115057151
476 * a     = 01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\
477 *		   FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC
478 *		 = 686479766013060971498190079908139321726943530014330540939446345918554318\
479 *		   339765605212255964066145455497729631139148085803712198799971664381257402\
480 *		   8291115057148
481 * b     = 0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E15619\
482 *		   3951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00
483 *		 = 109384903807373427451111239076680556993620759895168374899458639449595311\
484 *		   615073501601370873757375962324859213229670631330943845253159101291214232\
485 *		   7488478985984
486 * x     = 00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B\
487 *		   5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66
488 *		 = 266174080205021706322876871672336096072985916875697314770667136841880294\
489 *		   499642780849154508062777190235209424122506555866215711354557091681416163\
490 *		   7315895999846
491 * y     = 011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE\
492 *		   72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
493 *		 = 375718002577002046354550722449118360359445513476976248669456777961554447\
494 *		   744055631669123440501294553956214444453728942852258566672919658081012434\
495 *		   4277578376784
496 * order = 01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA5186\
497 *		   8783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
498 *		 = 686479766013060971498190079908139321726943530014330540939446345918554318\
499 *		   339765539424505774633321719753296399637136332111386476861244038034037280\
500 *		   8892707005449
501 * orderRecip = 200 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 \
502 *					ae79787c 40d06994 8033feb7 08f65a2f c44a3647 7663b851 449048e1 6ec79bf7
503 * orderRecip = 2000000000000000000000000000000000000000000000000000000000000000005ae79787c40d069948033feb708f65a2fc44a36477663b851449048e16ec79bf7
504 */
505static const arrayDigit ga_521_secp_bp[] =
506	{33, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
507	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
508	 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
509	 0xffff, 0xffff, 0xffff, 0x1ff};
510static const arrayDigit ga_521_secp_x1Plus[] =
511	{33, 0xbd66, 0xc2e5, 0x7e31, 0xf97e, 0x429b, 0x856a, 0xb3c1, 0x3348, 0xa8de, 0xa2ff,
512	0xc127, 0xfe1d, 0x5928, 0xefe7, 0x5e77, 0xa14b, 0x3dba, 0x6b4d, 0xaf60, 0xf828, 0xb521,
513	0x53f, 0x8139, 0x9c64, 0xb442, 0x2395, 0xcb66, 0x9e3e, 0xe9cd, 0x404, 0x6b7, 0x858e, 0xc6};
514static const arrayDigit ga_521_secp_y1Plus[] =
515	{33, 0x6650, 0x9fd1, 0x9476, 0x88be, 0xc240, 0xa272, 0x7086, 0x353c, 0x761, 0x3fad,
516	 0xb901, 0xc550, 0x2640, 0x5ef4, 0x7299, 0x97ee, 0x662c, 0x273e, 0xbd17, 0x17af, 0x4468,
517	 0x579b, 0x4449, 0x98f5, 0x1bd9, 0x2c7d, 0x5fb4, 0x5c8a, 0xc004, 0x9a3b, 0x6a78, 0x3929,
518	 0x118};
519static const arrayDigit ga_521_secp_plusOrder[] =
520	{33, 0x6409, 0x9138, 0xb71e, 0xbb6f, 0x47ae, 0x899c, 0xc9b8, 0x3bb5, 0xa5d0, 0xf709,
521	0x148, 0x7fcc, 0x966b, 0xbf2f, 0x8783, 0x5186, 0xfffa, 0xffff, 0xffff, 0xffff, 0xffff,
522	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
523	0x1ff};
524static const arrayDigit ga_521_secp_x1OrderPlus[] =
525	{33, 0x6409, 0x9138, 0xb71e, 0xbb6f, 0x47ae, 0x899c, 0xc9b8, 0x3bb5, 0xa5d0, 0xf709,
526	0x148, 0x7fcc, 0x966b, 0xbf2f, 0x8783, 0x5186, 0xfffa, 0xffff, 0xffff, 0xffff, 0xffff,
527	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
528	0x1ff};
529static const arrayDigit ga_521_secp_x1OrderPlusRecip[] =
530{33, 0x9bf7, 0x6ec7, 0x48e1, 0x4490, 0xb851, 0x7663, 0x3647, 0xc44a, 0x5a2f, 0x8f6, 0xfeb7, 0x8033, 0x6994, 0x40d0, 0x787c, 0xae79, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200};
531static const arrayDigit ga_521_secp_a[] =
532	{33, 0xfffc, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
533	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
534	0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
535	0xffff, 0xffff, 0xffff, 0x1ff};
536static const arrayDigit ga_521_secp_b[] =
537	{33, 0x3f00, 0x6b50, 0x1fd4, 0xef45, 0x34f1, 0x3d2c, 0xdf88, 0x3573, 0xbf07,
538	0x3bb1, 0xc0bd, 0x1652, 0x937b, 0xec7e, 0x3951, 0x5619, 0x9e1, 0x8ef1, 0x8991,
539	0xb8b4, 0x15f3, 0x99b3, 0x725b, 0xa2da, 0x40ee, 0xb685, 0x21a0, 0x929a, 0x9a1f,
540	0x8e1c, 0xb961, 0x953e, 0x51};
541