<div dir="ltr"><div dir="ltr"><div dir="ltr">Hello Niibe,<div><br></div><div>I take a look to the link and in fact I want to do the opposite: I have an ephemeral encryption key such as: </div><div>compressed_y_1 := 'CF2A7D7467F217A6B7AEF4C34452A4C62FEDA99C1E1EDEB740F662841B84D394'O<br clear="all"><div><div dir="ltr" class="gmail-m_5133983488386661913gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr">compressed_y_1 means that the LSB bit of Y in 1.</div><div>Knowing that I'm working with NIST P-256 elliptic curve, I want to calculate first Y^2.</div><div>To do it: I wrote this code:</div><div><div> /* y^2=x^3+a*x+b */</div><div> three = gcry_mpi_set_ui (NULL, 3);</div><div> x_3 = gcry_mpi_new (0);</div><div> axb = gcry_mpi_new (0);</div><div> y_2 = gcry_mpi_new (0);</div><div> gcry_mpi_powm (x_3, x, three, p); // w = b^e \bmod m.</div><div> gcry_mpi_mulm (axb, a, x, p);</div><div> gcry_mpi_addm (axb, axb, b, p);</div><div> gcry_mpi_addm (y_2, x_3, axb, p);</div><div> show_mpi("y_2", "", y_2);</div></div><div>Where a, b, p are parameters from the Nist P-256 elliptic curve.<br></div><div><br></div><div>My concerns now is how to get the two possible values of y?</div><div> <span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Many thanks in advance fir your help,</span></div><div><span style="font-size:12.8px"><br></span></div><div dir="ltr"><span style="font-size:12.8px">Best regards,</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Yann Garcia</span><br style="font-size:12.8px"><span style="font-size:12.8px;color:rgb(0,0,0);white-space:pre-wrap">Senior Software Engineer</span><div><span style="font-size:small">Microsoft MCAD.net Certified</span><br><span style="font-size:12.8px">**************************************</span><br><span style="font-size:small">FSCOM SARL</span><br style="font-size:small"><span style="font-size:small">Le Montespan B2</span><br style="font-size:small"><span style="font-size:10pt;color:navy;font-family:Arial,sans-serif"><a href="https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g" target="_blank">6,</a> <a href="https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g" target="_blank">Avenue des Alpes</a></span><span style="font-size:12.8px;color:navy"> </span><br style="font-size:small"><span style="font-size:small">F-06600 Antibes, FRANCE</span><br><span style="font-size:12.8px">************************************************</span><br><span style="font-size:12.8px">Tel: +33 (0)4 92 94 49 08</span><br><span style="font-size:12.8px">Mobile: +33 (0)</span><span style="color:rgb(69,69,69);font-family:Arial,sans-serif;letter-spacing:normal"><font size="2">6 68 94 57 76</font></span><br><span style="font-size:12.8px">Email: </span><b style="font-size:12.8px"><a href="mailto:yann.garcia@fscom.fr" target="_blank">yann.garcia@fscom.fr</a></b></div><div style="font-size:12.8px">Skype: yann.garcia<br>Google+: <a href="mailto:garcia.yann@gmail.com" target="_blank">garcia.yann@gmail.com</a></div></div></div></div></div></div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 6 Nov 2018 at 07:02, Yann Garcia <<a href="mailto:yann.garcia@fscom.fr" target="_blank">yann.garcia@fscom.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello Gniibe,</div><div><br></div>Many thanks for the link.<div> <br clear="all"><div><div dir="ltr" class="m_5133983488386661913m_3573845935365649558gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px">Best regards,</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Yann Garcia</span><br style="font-size:12.8px"><span style="font-size:12.8px;color:rgb(0,0,0);white-space:pre-wrap">Senior Software Engineer</span><div><span style="font-size:small">Microsoft MCAD.net Certified</span><br><span style="font-size:12.8px">**************************************</span><br><span style="font-size:small">FSCOM SARL</span><br style="font-size:small"><span style="font-size:small">Le Montespan B2</span><br style="font-size:small"><span style="font-size:10pt;color:navy;font-family:Arial,sans-serif"><a href="https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g" target="_blank">6,</a> <a href="https://maps.google.com/?q=6,%C2%A0+Avenue+des+Alpes&entry=gmail&source=g" target="_blank">Avenue des Alpes</a></span><span style="font-size:12.8px;color:navy"> </span><br style="font-size:small"><span style="font-size:small">F-06600 Antibes, FRANCE</span><br><span style="font-size:12.8px">************************************************</span><br><span style="font-size:12.8px">Tel: +33 (0)4 92 94 49 08</span><br><span style="font-size:12.8px">Mobile: +33 (0)</span><span style="color:rgb(69,69,69);font-family:Arial,sans-serif;letter-spacing:normal"><font size="2">6 68 94 57 76</font></span><br><span style="font-size:12.8px">Email: </span><b style="font-size:12.8px"><a href="mailto:yann.garcia@fscom.fr" target="_blank">yann.garcia@fscom.fr</a></b></div><div style="font-size:12.8px">Skype: yann.garcia<br>Google+: <a href="mailto:garcia.yann@gmail.com" target="_blank">garcia.yann@gmail.com</a></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 6 Nov 2018 at 00:55, NIIBE Yutaka <<a href="mailto:gniibe@fsij.org" target="_blank">gniibe@fsij.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I don't know any about IEEE 1609.2, so, my explanation may be completely<br>
wrong...<br>
<br>
Yann Garcia <<a href="mailto:yann.garcia@fscom.fr" target="_blank">yann.garcia@fscom.fr</a>> wrote:<br>
> This standard uses extensively the canonical form which is defined by using<br>
> compact representation of public x,y keys.<br>
><br>
> My trouble is how can I retrieve the private and uncompressed public keys<br>
> when only the y key sign (LSB bit is 0 or 1) and the x public key is<br>
> provided?<br>
><br>
> NOTE: The Nist P-256 ECC curve is used.<br>
<br>
The appropriate Weierstrass equation can determince Y. It's:<br>
<br>
y^2 = x^3 + a*x + b<br>
<br>
Given x, you can compute x^3 + a*x + b, which should be y^2, then, in<br>
the range of (-p,p) there are two values for such y (you can get one by<br>
sqrt function). Among two, you can choice y by sign information.<br>
<br>
In the context of libgcrypt, we adopt the technique for<br>
choosing y with no sign information:<br>
<br>
<a href="https://www.ietf.org/archive/id/draft-jivsov-ecc-compact-05.txt" rel="noreferrer" target="_blank">https://www.ietf.org/archive/id/draft-jivsov-ecc-compact-05.txt</a><br>
<br>
And... for detail, this document helps, I suppose.<br>
-- <br>
</blockquote></div>
</blockquote></div>