[openssl-users] X25519 - why openssl shows server temp key as 253 bits?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 4 22:23:26 UTC 2018

> On Sep 4, 2018, at 12:10 PM, Michael Richardson <mcr at sandelman.ca> wrote:
> My understanding is that you need x and y to do the computation.
> (And I observe this in code)

The Y coordinate is not needed for X25519 and X448 Diffie-Helman key agreement,
these operate on the X (sometimes called "u") coordinate only.

The Ed25519 and Ed448 algorithms do use compressed-encodings with one bit
used to disambiguate the choice of square-root for one of the coordinates.
With Edwards form the choice of which to to compress is arbitrary, the
curve is invariant under exchange of x and y or change of either sign.



More information about the openssl-users mailing list