Nist P256: How to calculate Y public key when knowing X and the LSB bit of Y public key

Yann Garcia garcia.yann at
Fri Nov 9 09:02:34 CET 2018

Dear All,

I was requested to write a dissector for Wireshark where I need to decrypt
data. I have the ephemeral X public key provided in compressed format.
This means:

compressed_y_1 :=
compressed_y_1 means that the LSB bit of Y in 1.

I know I have t use Nist P256 (or Brainpool P256 r1).

My problem is to calculate Y based on previous information.
First I calculated Y^2:
    /* y^2=x^3+a*x+b */
    three = gcry_mpi_set_ui (NULL, 3);
    x_3   = gcry_mpi_new (0);
    axb   = gcry_mpi_new (0);
    y_2   = gcry_mpi_new (0);
    gcry_mpi_powm (x_3, x, three, p); // w = b^e \bmod m.
    gcry_mpi_mulm (axb, a, x, p);
    gcry_mpi_addm (axb, axb, b, p);
    gcry_mpi_addm (y_2, x_3, axb, p);
    show_mpi("y_2", "", y_2);
Where a, b, p are parameters from the Nist P-256 elliptic curve.

My concerns now is how to get the two possible values of y? In other words,
how can I calculate sqrt(y^2).

I did some research on the Internet, but what I found is too much
Mathematical oriented and I was lost. I need something close than an
algorithm I can implement with libgcrypt MIP library.

Please can anyone provide me to some hints?

Many thanks in advance for your help,

Best regards,

Yann Garcia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gcrypt-devel mailing list