libgcrypt: Elliptic Curve Points Compact Representation
gniibe at fsij.org
Tue Nov 6 00:55:22 CET 2018
I don't know any about IEEE 1609.2, so, my explanation may be completely
Yann Garcia <yann.garcia at fscom.fr> wrote:
> This standard uses extensively the canonical form which is defined by using
> compact representation of public x,y keys.
> My trouble is how can I retrieve the private and uncompressed public keys
> when only the y key sign (LSB bit is 0 or 1) and the x public key is
> NOTE: The Nist P-256 ECC curve is used.
The appropriate Weierstrass equation can determince Y. It's:
y^2 = x^3 + a*x + b
Given x, you can compute x^3 + a*x + b, which should be y^2, then, in
the range of (-p,p) there are two values for such y (you can get one by
sqrt function). Among two, you can choice y by sign information.
In the context of libgcrypt, we adopt the technique for
choosing y with no sign information:
And... for detail, this document helps, I suppose.
More information about the Gcrypt-devel