libgcrypt: Elliptic Curve Points Compact Representation

Yann Garcia yann.garcia at fscom.fr
Wed Nov 7 11:25:01 CET 2018 

Hello Niibe,

I take a look to the link and in fact I want to do the opposite: I have an
ephemeral encryption key such as:
compressed_y_1 :=
'CF2A7D7467F217A6B7AEF4C34452A4C62FEDA99C1E1EDEB740F662841B84D394'O
compressed_y_1 means that the LSB bit of Y in 1.
Knowing that I'm working with NIST P-256 elliptic curve, I want to
calculate first Y^2.
To do it: I wrote this code:
    /* y^2=x^3+a*x+b */
    three = gcry_mpi_set_ui (NULL, 3);
    x_3   = gcry_mpi_new (0);
    axb   = gcry_mpi_new (0);
    y_2   = gcry_mpi_new (0);
    gcry_mpi_powm (x_3, x, three, p); // w = b^e \bmod m.
    gcry_mpi_mulm (axb, a, x, p);
    gcry_mpi_addm (axb, axb, b, p);
    gcry_mpi_addm (y_2, x_3, axb, p);
    show_mpi("y_2", "", y_2);
Where a, b, p are parameters from the Nist P-256 elliptic curve.

My concerns now is how to get the two possible values of y?

Many thanks in advance fir your help,

Best regards,

Yann Garcia
Senior Software Engineer
Microsoft MCAD.net Certified
**************************************
FSCOM SARL
Le Montespan B2
6,
<https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g>
  Avenue des Alpes
<https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g>
F-06600 Antibes, FRANCE
************************************************
Tel: +33 (0)4 92 94 49 08
Mobile: +33 (0)6 68 94 57 76
Email: *yann.garcia at fscom.fr <yann.garcia at fscom.fr>*
Skype: yann.garcia
Google+: garcia.yann at gmail.com


On Tue, 6 Nov 2018 at 07:02, Yann Garcia <yann.garcia at fscom.fr> wrote:

> Hello Gniibe,
>
> Many thanks for the link.
>
> Best regards,
>
> Yann Garcia
> Senior Software Engineer
> Microsoft MCAD.net Certified
> **************************************
> FSCOM SARL
> Le Montespan B2
> 6,
> <https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g>
>   Avenue des Alpes
> <https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g>
>
> F-06600 Antibes, FRANCE
> ************************************************
> Tel: +33 (0)4 92 94 49 08
> Mobile: +33 (0)6 68 94 57 76
> Email: *yann.garcia at fscom.fr <yann.garcia at fscom.fr>*
> Skype: yann.garcia
> Google+: garcia.yann at gmail.com
>
>
> On Tue, 6 Nov 2018 at 00:55, NIIBE Yutaka <gniibe at fsij.org> wrote:
>
>> Hello,
>>
>> I don't know any about IEEE 1609.2, so, my explanation may be completely
>> wrong...
>>
>> Yann Garcia <yann.garcia at fscom.fr> wrote:
>> > This standard uses extensively the canonical form which is defined by
>> using
>> > compact representation of public x,y keys.
>> >
>> > My trouble is how can I retrieve the private and uncompressed public
>> keys
>> > when only the y key sign (LSB bit is 0 or 1) and the x public key is
>> > provided?
>> >
>> > NOTE: The Nist P-256 ECC curve is used.
>>
>> The appropriate Weierstrass equation can determince Y.  It's:
>>
>>         y^2 = x^3 + a*x + b
>>
>> Given x, you can compute x^3 + a*x + b, which should be y^2, then, in
>> the range of (-p,p) there are two values for such y (you can get one by
>> sqrt function).  Among two, you can choice y by sign information.
>>
>> In the context of libgcrypt, we adopt the technique for
>> choosing y with no sign information:
>>
>>     https://www.ietf.org/archive/id/draft-jivsov-ecc-compact-05.txt
>>
>> And... for detail, this document helps, I suppose.
>> --
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20181107/aa0dd66d/attachment-0001.html>

More information about the Gcrypt-devel mailing list