libgcrypt: Elliptic Curve Points Compact Representation

NIIBE Yutaka gniibe at fsij.org
Tue Nov 6 00:55:22 CET 2018


Hello,

I don't know any about IEEE 1609.2, so, my explanation may be completely
wrong...

Yann Garcia <yann.garcia at fscom.fr> wrote:
> This standard uses extensively the canonical form which is defined by using
> compact representation of public x,y keys.
>
> My trouble is how can I retrieve the private and uncompressed public keys
> when only the y key sign (LSB bit is 0 or 1) and the x public key is
> provided?
>
> NOTE: The Nist P-256 ECC curve is used.

The appropriate Weierstrass equation can determince Y.  It's:

	y^2 = x^3 + a*x + b

Given x, you can compute x^3 + a*x + b, which should be y^2, then, in
the range of (-p,p) there are two values for such y (you can get one by
sqrt function).  Among two, you can choice y by sign information.

In the context of libgcrypt, we adopt the technique for
choosing y with no sign information:

    https://www.ietf.org/archive/id/draft-jivsov-ecc-compact-05.txt

And... for detail, this document helps, I suppose.
-- 



More information about the Gcrypt-devel mailing list