[openssl-users] X25519 - why openssl shows server temp key as 253 bits?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 4 14:50:53 UTC 2018

With curve25519, the scalar multiplication function:

  (x, y) -> n * (x, y) = (x', y') -> x'

has the property that for valid points on the extended curve (degree
two extension of F(p) that gives a y for every x in F(p)), x' depends
only on x, and can be effectively computed from x alone, and this can
be done for all x in F(p) since all "x" values are either on the curve
or its "twist".  Therefore, the X25519 key agreement protocol only
uses the x-coordinate.

IIRC, Ed25519 signatures do require a y-coordinate sign, and so the
signature representation is not x-only.

> On Sep 4, 2018, at 10:24 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> My source is Dr. Lange at the IETF meeting in Toronto when the IETF selected EC25519.
> A curve point needs an x and a y.  But do you need the y for the computation.  Do you only need its sign?  I don't know.  I am not a mathematician.


More information about the openssl-users mailing list