libgcrypt: Elliptic Curve Points Compact Representation

NIIBE Yutaka gniibe at
Tue Nov 6 00:55:22 CET 2018


I don't know any about IEEE 1609.2, so, my explanation may be completely

Yann Garcia <yann.garcia at> wrote:
> This standard uses extensively the canonical form which is defined by using
> compact representation of public x,y keys.
> My trouble is how can I retrieve the private and uncompressed public keys
> when only the y key sign (LSB bit is 0 or 1) and the x public key is
> provided?
> NOTE: The Nist P-256 ECC curve is used.

The appropriate Weierstrass equation can determince Y.  It's:

	y^2 = x^3 + a*x + b

Given x, you can compute x^3 + a*x + b, which should be y^2, then, in
the range of (-p,p) there are two values for such y (you can get one by
sqrt function).  Among two, you can choice y by sign information.

In the context of libgcrypt, we adopt the technique for
choosing y with no sign information:

And... for detail, this document helps, I suppose.

More information about the Gcrypt-devel mailing list