[openssl-users] X25519 - why openssl shows server temp key as 253 bits?

Michael Richardson mcr at sandelman.ca
Tue Sep 4 16:10:04 UTC 2018

Robert Moskowitz <rgm at htt-consult.com> wrote:
    > A curve point needs an x and a y.  But do you need the y for the
    > computation.  Do you only need its sign?  I don't know.  I am not a
    > mathematician.

My understanding is that you need x and y to do the computation.
(And I observe this in code)

However, since x and y have to be on the curve, if you know x, then
that constrained y to be one or two values... so you need to know the *sign*
of y, which is transmitted as a single bit. Then you can calculate y.
The fundamental reason behind this is because sqrt(4) = 2, and sqrt(4) = -2...

Since some bits of the x are required to be 0, it's possible to encode the
sign of Y into the encoded X bit-stream...

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180904/ff7a3f51/attachment.sig>

More information about the openssl-users mailing list