6.2.3 ECC key parameters

An ECC private key is described by this S-expression:

(private-key
  (ecc
    (p p-mpi)
    (a a-mpi)
    (b b-mpi)
    (g g-point)
    (n n-mpi)
    (q q-point)
    (d d-mpi)))

p-mpi

Prime specifying the field GF(p).

a-mpi

b-mpi

The two coefficients of the Weierstrass equation y^2 = x^3 + ax + b

g-point

Base point g.

n-mpi

Order of g

q-point

The point representing the public key Q = dG.

d-mpi

The private key d

All point values are encoded in standard format; Libgcrypt does in general only support uncompressed points, thus the first byte needs to be 0x04. However “EdDSA” describes its own compression scheme which is used by default; the non-standard first byte 0x40 may optionally be used to explicit flag the use of the algorithm’s native compression method.

The public key is similar with "private-key" replaced by "public-key" and no d-mpi.

If the domain parameters are well-known, the name of this curve may be used. For example

(private-key
  (ecc
    (curve "NIST P-192")
    (q q-point)
    (d d-mpi)))

Note that q-point is optional for a private key. The curve parameter may be given in any case and is used to replace missing parameters.

Currently implemented curves are:

NIST P-192

1.2.840.10045.3.1.1

prime192v1

secp192r1

The NIST 192 bit curve, its OID, X9.62 and SECP aliases.

NIST P-224

secp224r1

The NIST 224 bit curve and its SECP alias.

NIST P-256

1.2.840.10045.3.1.7

prime256v1

secp256r1

The NIST 256 bit curve, its OID, X9.62 and SECP aliases.

NIST P-384

secp384r1

The NIST 384 bit curve and its SECP alias.

NIST P-521

secp521r1

The NIST 521 bit curve and its SECP alias.

As usual the OIDs may optionally be prefixed with the string OID. or oid..