bcgit
diff --git a/‎CONTRIBUTORS.html‎
Lines changed: 1 addition & 0 deletions b/‎CONTRIBUTORS.html‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/asn1/ua/DSTU4145NamedCurves.java‎
Lines changed: 18 additions & 10 deletions b/‎core/src/main/java/org/bouncycastle/asn1/ua/DSTU4145NamedCurves.java‎
Lines changed: 18 additions & 10 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurve.java‎
Lines changed: 2 additions & 10 deletions b/‎core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurve.java‎
Lines changed: 2 additions & 10 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMExtractor.java‎
Lines changed: 45 additions & 32 deletions b/‎core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMExtractor.java‎
Lines changed: 45 additions & 32 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java‎
Lines changed: 29 additions & 26 deletions b/‎core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java‎
Lines changed: 29 additions & 26 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/crypto/params/SAKKEPublicKeyParameters.java‎
Lines changed: 14 additions & 6 deletions b/‎core/src/main/java/org/bouncycastle/crypto/params/SAKKEPublicKeyParameters.java‎
Lines changed: 14 additions & 6 deletions
@@ -567,6 +567,7 @@
 <li>Léonard Dallot &lt;[email protected]&gt; - initial patches for GNU PG Divert to card format support.</li>
 <li>Linuka Ratnayake &lt;https://github.com/linukaratnayake&gt; - initial patches for including KEM-type algorithms in TLS key shares.</li>
 <li>Rune Flobakk &lt;https://github.com/runeflobakk&gt; - initial gradle mods for BOM (Bill of Materials) creation.</li>
+<li>Jon Marius Venstad &lt;https://github.com/jonmv&gt; - Fixed a KangarooTwelve padding bug caused by premature absorption of queued data.</li>
 </ul>
 </body>
 </html>
@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.params.ECDomainParameters;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.math.ec.WNafUtil;
 
 public class DSTU4145NamedCurves
 {
@@ -19,6 +20,13 @@ public class DSTU4145NamedCurves
     //where X is the curve number 0-9
     static final String oidBase = UAObjectIdentifiers.dstu4145le.getId() + ".2.";
 
+    private static ECPoint configureBasepoint(ECCurve curve, BigInteger x, BigInteger y)
+    {
+        ECPoint G = curve.createPoint(x, y);
+        WNafUtil.configureBasepoint(G);
+        return G;
+    }
+
     static
     {
         BigInteger[] n_s = new BigInteger[10];
@@ -58,16 +66,16 @@ public class DSTU4145NamedCurves
         curves[9] = new ECCurve.F2m(431, 1, 3, 5, ONE, new BigInteger("03CE10490F6A708FC26DFE8C3D27C4F94E690134D5BFF988D8D28AAEAEDE975936C66BAC536B18AE2DC312CA493117DAA469C640CAF3", 16), n_s[9], h_s[9]);
 
         ECPoint[] points = new ECPoint[10];
-        points[0] = curves[0].createPoint(new BigInteger("2E2F85F5DD74CE983A5C4237229DAF8A3F35823BE", 16), new BigInteger("3826F008A8C51D7B95284D9D03FF0E00CE2CD723A", 16));
-        points[1] = curves[1].createPoint(new BigInteger("7A1F6653786A68192803910A3D30B2A2018B21CD54", 16), new BigInteger("5F49EB26781C0EC6B8909156D98ED435E45FD59918", 16));
-        points[2] = curves[2].createPoint(new BigInteger("4D41A619BCC6EADF0448FA22FAD567A9181D37389CA", 16), new BigInteger("10B51CC12849B234C75E6DD2028BF7FF5C1CE0D991A1", 16));
-        points[3] = curves[3].createPoint(new BigInteger("6BA06FE51464B2BD26DC57F48819BA9954667022C7D03", 16), new BigInteger("25FBC363582DCEC065080CA8287AAFF09788A66DC3A9E", 16));
-        points[4] = curves[4].createPoint(new BigInteger("714114B762F2FF4A7912A6D2AC58B9B5C2FCFE76DAEB7129", 16), new BigInteger("29C41E568B77C617EFE5902F11DB96FA9613CD8D03DB08DA", 16));
-        points[5] = curves[5].createPoint(new BigInteger("3FCDA526B6CDF83BA1118DF35B3C31761D3545F32728D003EEB25EFE96", 16), new BigInteger("9CA8B57A934C54DEEDA9E54A7BBAD95E3B2E91C54D32BE0B9DF96D8D35", 16));
-        points[6] = curves[6].createPoint(new BigInteger("02A29EF207D0E9B6C55CD260B306C7E007AC491CA1B10C62334A9E8DCD8D20FB7", 16), new BigInteger("10686D41FF744D4449FCCF6D8EEA03102E6812C93A9D60B978B702CF156D814EF", 16));
-        points[7] = curves[7].createPoint(new BigInteger("216EE8B189D291A0224984C1E92F1D16BF75CCD825A087A239B276D3167743C52C02D6E7232AA", 16), new BigInteger("5D9306BACD22B7FAEB09D2E049C6E2866C5D1677762A8F2F2DC9A11C7F7BE8340AB2237C7F2A0", 16));
-        points[8] = curves[8].createPoint(new BigInteger("324A6EDDD512F08C49A99AE0D3F961197A76413E7BE81A400CA681E09639B5FE12E59A109F78BF4A373541B3B9A1", 16), new BigInteger("1AB597A5B4477F59E39539007C7F977D1A567B92B043A49C6B61984C3FE3481AAF454CD41BA1F051626442B3C10", 16));
-        points[9] = curves[9].createPoint(new BigInteger("1A62BA79D98133A16BBAE7ED9A8E03C32E0824D57AEF72F88986874E5AAE49C27BED49A2A95058068426C2171E99FD3B43C5947C857D", 16), new BigInteger("70B5E1E14031C1F70BBEFE96BDDE66F451754B4CA5F48DA241F331AA396B8D1839A855C1769B1EA14BA53308B5E2723724E090E02DB9", 16));
+        points[0] = configureBasepoint(curves[0], new BigInteger("2E2F85F5DD74CE983A5C4237229DAF8A3F35823BE", 16), new BigInteger("3826F008A8C51D7B95284D9D03FF0E00CE2CD723A", 16));
+        points[1] = configureBasepoint(curves[1], new BigInteger("7A1F6653786A68192803910A3D30B2A2018B21CD54", 16), new BigInteger("5F49EB26781C0EC6B8909156D98ED435E45FD59918", 16));
+        points[2] = configureBasepoint(curves[2], new BigInteger("4D41A619BCC6EADF0448FA22FAD567A9181D37389CA", 16), new BigInteger("10B51CC12849B234C75E6DD2028BF7FF5C1CE0D991A1", 16));
+        points[3] = configureBasepoint(curves[3], new BigInteger("6BA06FE51464B2BD26DC57F48819BA9954667022C7D03", 16), new BigInteger("25FBC363582DCEC065080CA8287AAFF09788A66DC3A9E", 16));
+        points[4] = configureBasepoint(curves[4], new BigInteger("714114B762F2FF4A7912A6D2AC58B9B5C2FCFE76DAEB7129", 16), new BigInteger("29C41E568B77C617EFE5902F11DB96FA9613CD8D03DB08DA", 16));
+        points[5] = configureBasepoint(curves[5], new BigInteger("3FCDA526B6CDF83BA1118DF35B3C31761D3545F32728D003EEB25EFE96", 16), new BigInteger("9CA8B57A934C54DEEDA9E54A7BBAD95E3B2E91C54D32BE0B9DF96D8D35", 16));
+        points[6] = configureBasepoint(curves[6], new BigInteger("02A29EF207D0E9B6C55CD260B306C7E007AC491CA1B10C62334A9E8DCD8D20FB7", 16), new BigInteger("10686D41FF744D4449FCCF6D8EEA03102E6812C93A9D60B978B702CF156D814EF", 16));
+        points[7] = configureBasepoint(curves[7], new BigInteger("216EE8B189D291A0224984C1E92F1D16BF75CCD825A087A239B276D3167743C52C02D6E7232AA", 16), new BigInteger("5D9306BACD22B7FAEB09D2E049C6E2866C5D1677762A8F2F2DC9A11C7F7BE8340AB2237C7F2A0", 16));
+        points[8] = configureBasepoint(curves[8], new BigInteger("324A6EDDD512F08C49A99AE0D3F961197A76413E7BE81A400CA681E09639B5FE12E59A109F78BF4A373541B3B9A1", 16), new BigInteger("1AB597A5B4477F59E39539007C7F977D1A567B92B043A49C6B61984C3FE3481AAF454CD41BA1F051626442B3C10", 16));
+        points[9] = configureBasepoint(curves[9], new BigInteger("1A62BA79D98133A16BBAE7ED9A8E03C32E0824D57AEF72F88986874E5AAE49C27BED49A2A95058068426C2171E99FD3B43C5947C857D", 16), new BigInteger("70B5E1E14031C1F70BBEFE96BDDE66F451754B4CA5F48DA241F331AA396B8D1839A855C1769B1EA14BA53308B5E2723724E090E02DB9", 16));
 
         for (int i = 0; i < params.length; i++)
         {
 
@@ -99,16 +99,8 @@ public ECJPAKECurve(BigInteger q, BigInteger a, BigInteger b, BigInteger n, BigI
          */
 //        BigInteger totalPoints = n.multiply(h);
 
-        ECCurve.Fp curve = new ECCurve.Fp(q, a, b, n, h);
-        ECPoint g = curve.createPoint(g_x, g_y);
-
-        if (!g.isValid())
-        {
-            throw new IllegalArgumentException("The base point G does not lie on the curve.");
-        }
-
-        this.curve = curve;
-        this.g = g;
+        this.curve = new ECCurve.Fp(q, a, b, n, h);
+        this.g = curve.validatePoint(g_x, g_y);
     }
 
     /**
 
@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.EncapsulatedSecretExtractor;
 import org.bouncycastle.crypto.params.SAKKEPrivateKeyParameters;
 import org.bouncycastle.crypto.params.SAKKEPublicKeyParameters;
+import org.bouncycastle.math.ec.ECAlgorithms;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
@@ -93,9 +94,22 @@ public byte[] extractSecret(byte[] encapsulation)
         BigInteger r = SAKKEKEMSGenerator.hashToIntegerRange(Arrays.concatenate(ssv.toByteArray(), b.toByteArray()), q, digest);
 
         // Step 5: Validate R_bS
-        ECPoint bP = P.multiply(b).normalize();
-        ECPoint Test = bP.add(Z_S).multiply(r).normalize();
-        if (!R_bS.equals(Test))
+        ECPoint Test;
+
+        BigInteger order = curve.getOrder();
+        if (order == null)
+        {
+            Test = P.multiply(b).add(Z_S).multiply(r);
+        }
+        else
+        {
+            BigInteger a = b.multiply(r).mod(order);
+            Test = ECAlgorithms.sumOfTwoMultiplies(P, a, Z_S, r);
+        }
+
+        Test = Test.subtract(R_bS);
+
+        if (!Test.isInfinity())
         {
             throw new IllegalStateException("Validation of R_bS failed");
         }
@@ -122,7 +136,7 @@ public int getEncapsulationLength()
     static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger q)
     {
         // v = (1,0) in F_p^2
-        BigInteger[] v = new BigInteger[]{BigInteger.ONE, BigInteger.ZERO};
+        BigInteger[] v = new BigInteger[]{ BigInteger.ONE, BigInteger.ZERO };
         ECPoint C = R;
 
         BigInteger qMinusOne = q.subtract(BigInteger.ONE);
@@ -131,23 +145,21 @@ static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger
         BigInteger Qy = Q.getAffineYCoord().toBigInteger();
         BigInteger Rx = R.getAffineXCoord().toBigInteger();
         BigInteger Ry = R.getAffineYCoord().toBigInteger();
-        BigInteger l, Cx, Cy;
         final BigInteger three = BigInteger.valueOf(3);
-        final BigInteger two = BigInteger.valueOf(2);
 
         // Miller loop
         for (int i = numBits - 2; i >= 0; i--)
         {
-            Cx = C.getAffineXCoord().toBigInteger();
-            Cy = C.getAffineYCoord().toBigInteger();
+            BigInteger Cx = C.getAffineXCoord().toBigInteger();
+            BigInteger Cy = C.getAffineYCoord().toBigInteger();
 
             // Compute l = (3 * (Cx^2 - 1)) / (2 * Cy) mod p
-            l = three.multiply(Cx.multiply(Cx).subtract(BigInteger.ONE))
-                .multiply(Cy.multiply(two).modInverse(p)).mod(p);
+            BigInteger l = Cx.multiply(Cx).mod(p).subtract(BigInteger.ONE).multiply(three)
+                .multiply(BigIntegers.modOddInverse(p, Cy.shiftLeft(1))).mod(p);
 
             // Compute v = v^2 * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) )
             v = fp2PointSquare(v[0], v[1], p);
-            v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy), Qy, p);
+            v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy).mod(p), Qy, p);
 
             C = C.twice().normalize();  // C = [2]C
 
@@ -157,55 +169,56 @@ static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger
                 Cy = C.getAffineYCoord().toBigInteger();
 
                 // Compute l = (Cy - Ry) / (Cx - Rx) mod p
-                l = Cy.subtract(Ry).multiply(Cx.subtract(Rx).modInverse(p)).mod(p);
+                l = Cy.subtract(Ry).multiply(BigIntegers.modOddInverse(p, Cx.subtract(Rx))).mod(p);
 
                 // Compute v = v * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) )
-                v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy), Qy, p);
+                v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy).mod(p), Qy, p);
 
-                C = C.add(R).normalize();
+                if (i > 0)
+                {
+                    C = C.add(R).normalize();
+                }
             }
         }
 
         // Final exponentiation: t = v^c
         v = fp2PointSquare(v[0], v[1], p);
         v = fp2PointSquare(v[0], v[1], p);
-        return v[1].multiply(v[0].modInverse(p)).mod(p);
+        BigInteger v0Inv = BigIntegers.modOddInverse(p, v[0]);
+        return v[1].multiply(v0Inv).mod(p);
     }
 
     /**
      * Performs multiplication in F_p^2 field.
      *
-     * @param x_real Real component of first operand
-     * @param x_imag Imaginary component of first operand
-     * @param y_real Real component of second operand
-     * @param y_imag Imaginary component of second operand
+     * @param a0 Real component of first operand
+     * @param b0 Imaginary component of first operand
+     * @param a1 Real component of second operand
+     * @param b1 Imaginary component of second operand
      * @param p      Prime field characteristic
      * @return Result of multiplication in F_p^2 as [real, imaginary] array
      */
-    static BigInteger[] fp2Multiply(BigInteger x_real, BigInteger x_imag, BigInteger y_real, BigInteger y_imag, BigInteger p)
+    static BigInteger[] fp2Multiply(BigInteger a0, BigInteger b0, BigInteger a1, BigInteger b1, BigInteger p)
     {
         return new BigInteger[]{
-            x_real.multiply(y_real).subtract(x_imag.multiply(y_imag)).mod(p),
-            x_real.multiply(y_imag).add(x_imag.multiply(y_real)).mod(p)
+            a0.multiply(a1).subtract(b0.multiply(b1)).mod(p),
+            a0.multiply(b1).add(b0.multiply(a1)).mod(p)
         };
     }
 
     /**
      * Computes squaring operation in F_p^2 field.
      *
-     * @param currentX Real component of input
-     * @param currentY Imaginary component of input
+     * @param a Real component of input
+     * @param b Imaginary component of input
      * @param p        Prime field characteristic
      * @return Squared result in F_p^2 as [newX, newY] array
      */
-    static BigInteger[] fp2PointSquare(BigInteger currentX, BigInteger currentY, BigInteger p)
+    static BigInteger[] fp2PointSquare(BigInteger a, BigInteger b, BigInteger p)
     {
-        BigInteger xPlusY = currentX.add(currentY).mod(p);
-        BigInteger xMinusY = currentX.subtract(currentY).mod(p);
-        BigInteger newX = xPlusY.multiply(xMinusY).mod(p);
-
-        // Compute newY = 2xy mod p
-        BigInteger newY = currentX.multiply(currentY).multiply(BigInteger.valueOf(2)).mod(p);
-        return new BigInteger[]{newX, newY};
+        return new BigInteger[]{
+            a.add(b).multiply(a.subtract(b)).mod(p),
+            a.multiply(b).shiftLeft(1).mod(p)
+        };
     }
 }
@@ -8,6 +8,7 @@
 import org.bouncycastle.crypto.SecretWithEncapsulation;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.SAKKEPublicKeyParameters;
+import org.bouncycastle.math.ec.ECAlgorithms;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
@@ -85,51 +86,53 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
 
 
         // 3. Compute R_(b,S) = [r]([b]P + Z_S)
-        ECPoint bP = P.multiply(b).normalize();
-        ECPoint R_bS = bP.add(Z).multiply(r).normalize();
+        ECPoint R_bS;
+
+        BigInteger order = curve.getOrder();
+        if (order == null)
+        {
+            R_bS = P.multiply(b).add(Z).multiply(r).normalize();
+        }
+        else
+        {
+            BigInteger a = b.multiply(r).mod(order);
+            R_bS = ECAlgorithms.sumOfTwoMultiplies(P, a, Z, r).normalize();
+        }
 
         // 4. Compute H = SSV XOR HashToIntegerRange( g^r, 2^n )
         BigInteger pointX = BigInteger.ONE;
         BigInteger pointY = g;
-        BigInteger[] v = new BigInteger[2];
 
         // Initialize result with the original point
-        BigInteger currentX = BigInteger.ONE;
-        BigInteger currentY = g;
-        ECPoint current = curve.createPoint(currentX, currentY);
+        BigInteger v0 = BigInteger.ONE;
+        BigInteger v1 = g;
+        ECPoint current = curve.createPoint(v0, v1);
 
-        int numBits = r.bitLength();
-        BigInteger[] rlt;
         // Process bits from MSB-1 down to 0
-        for (int i = numBits - 2; i >= 0; i--)
+        for (int i = r.bitLength() - 2; i >= 0; i--)
         {
             // Square the current point
-            rlt = SAKKEKEMExtractor.fp2PointSquare(currentX, currentY, p);
+            BigInteger[] rlt = SAKKEKEMExtractor.fp2PointSquare(v0, v1, p);
             current = current.timesPow2(2);
-            currentX = rlt[0];
-            currentY = rlt[1];
+            v0 = rlt[0];
+            v1 = rlt[1];
             // Multiply if bit is set
             if (r.testBit(i))
             {
-                rlt = SAKKEKEMExtractor.fp2Multiply(currentX, currentY, pointX, pointY, p);
+                rlt = SAKKEKEMExtractor.fp2Multiply(v0, v1, pointX, pointY, p);
 
-                currentX = rlt[0];
-                currentY = rlt[1];
+                v0 = rlt[0];
+                v1 = rlt[1];
             }
         }
 
-        v[0] = currentX;
-        v[1] = currentY;
-        BigInteger g_r = v[1].multiply(v[0].modInverse(p)).mod(p);
+        BigInteger v0Inv = BigIntegers.modOddInverse(p, v0);
+        BigInteger g_r = v1.multiply(v0Inv).mod(p);
 
         BigInteger mask = hashToIntegerRange(g_r.toByteArray(), BigInteger.ONE.shiftLeft(n), digest); // 2^n
 
         BigInteger H = ssv.xor(mask);
         // 5. Encode encapsulated data (R_bS, H)
-//        byte[] encapsulated = Arrays.concatenate(new byte[]{(byte)0x04},
-//            BigIntegers.asUnsignedByteArray(n, R_bS.getXCoord().toBigInteger()),
-//            BigIntegers.asUnsignedByteArray(n, R_bS.getYCoord().toBigInteger()),
-//            BigIntegers.asUnsignedByteArray(16, H));
         byte[] encapsulated = Arrays.concatenate(R_bS.getEncoded(false), BigIntegers.asUnsignedByteArray(16, H));
 
         return new SecretWithEncapsulationImpl(
@@ -141,20 +144,21 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
     static BigInteger hashToIntegerRange(byte[] input, BigInteger q, Digest digest)
     {
         // RFC 6508 Section 5.1: Hashing to an Integer Range
-        byte[] hash = new byte[digest.getDigestSize()];
+        byte[] A = new byte[digest.getDigestSize()];
 
         // Step 1: Compute A = hashfn(s)
         digest.update(input, 0, input.length);
-        digest.doFinal(hash, 0);
-        byte[] A = Arrays.clone(hash);
+        digest.doFinal(A, 0);
 
         // Step 2: Initialize h_0 to all-zero bytes of hashlen size
         byte[] h = new byte[digest.getDigestSize()];
 
         // Step 3: Compute l = Ceiling(lg(n)/hashlen)
+        // FIXME Seems hardcoded to 256 bit digest?
         int l = q.bitLength() >> 8;
 
         BigInteger v = BigInteger.ZERO;
+        byte[] v_i = new byte[digest.getDigestSize()];
 
         // Step 4: Compute h_i and v_i
         for (int i = 0; i <= l; i++)
@@ -165,7 +169,6 @@ static BigInteger hashToIntegerRange(byte[] input, BigInteger q, Digest digest)
             // v_i = hashfn(h_i || A)
             digest.update(h, 0, h.length);
             digest.update(A, 0, A.length);
-            byte[] v_i = new byte[digest.getDigestSize()];
             digest.doFinal(v_i, 0);
             // Append v_i to v'
             v = v.shiftLeft(v_i.length * 8).add(new BigInteger(1, v_i));
 
@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.math.ec.WNafUtil;
 import org.bouncycastle.util.encoders.Hex;
 
 /**
@@ -36,6 +37,13 @@
 public class SAKKEPublicKeyParameters
     extends AsymmetricKeyParameter
 {
+    private static ECPoint configureBasepoint(ECCurve curve, BigInteger x, BigInteger y)
+    {
+        ECPoint G = curve.createPoint(x, y);
+        WNafUtil.configureBasepoint(G);
+        return G;
+    }
+    
     /**
      * Prime modulus p defining the finite field F_p (RFC 6508, Section 2.1).
      * Value from RFC 6509 Appendix A.
@@ -91,18 +99,18 @@ public class SAKKEPublicKeyParameters
      * Uses parameters from RFC 6509 Appendix A.
      */
     private static final ECCurve.Fp curve = new ECCurve.Fp(
-        p,                                   // Prime p
-        BigInteger.valueOf(-3).mod(p),             // a = -3
-        BigInteger.ZERO, // ,
-        g,                                  // Order of the subgroup (from RFC 6509)
-        BigInteger.ONE                      // Cofactor = 1
+        p,                                 // Prime p
+        p.subtract(BigInteger.valueOf(3)), // a = -3
+        BigInteger.ZERO,
+        q,                                 // Order of the subgroup (from RFC 6509)
+        BigInteger.valueOf(4)              // Cofactor = 1
     );
 
     /**
      * Base point P on the elliptic curve E(F_p) (RFC 6508, Section 3.1).
      * Coordinates from RFC 6509 Appendix A.
      */
-    static final ECPoint P = curve.createPoint(Px, Py);
+    static final ECPoint P = configureBasepoint(curve, Px, Py);
     /** KMS Public Key Z_S = [z_S]P (RFC 6508, Section 2.2) */
     private final ECPoint Z;
     /** User's Identifier (RFC 6508, Section 2.2) */