]>
Compact representation of an elliptic curve point
Symantec Corporation
openpgp@brainhub.org
General
Network Workign Group
ECC
elliptic curve
elliptic curve point
compact representation
point compression
SEC1
cryptography
This document defines a format for efficient storage representation of an elliptic curve point over prime fields, suitable for use with any IETF format or protocol.
The National Security Agency (NSA) of the United States specifies elliptic curve cryptography (ECC) for use in its set of algorithms.
The NIST elliptic curves over the prime fields , which include curves, or the Brainpool
curves are the examples of curves over prime fields.
This document provides an efficient format for compact representation of a point on an elliptic curve over a prime field.
It is intended as an open format that other IETF protocols can rely on to minimize space required to store an ECC point.
This document complements the with the on-the-wire definition of an ECC point.
One of the benefits of the ECC is the small size of field elements. The compact representation reduces the encoded size of an ECC element in half,
which can be a substantial saving in cases such as encryption of a short message sent to multiple recipients.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
IETF protocols often use the representation of a point on an elliptic curve, which is a sequence of the following fields:
Field
Description
B0
{02, 03, 04},
where 02 or 03 represent a compressed point (x only), while 04 represents a complete point (x,y)
X
x coordinate of a point
Y
y coordinate of a point, optional (present only for B0=04)
The is an example of a general-purpose elliptic curve point compression. The idea behind these methods is the following:
For the given point P=(x,y) the y coordinate can be derived from x by solving the corresponding equation of the ECC.
There are two possible y coordinates for any x of a given P
The either of the two possibilities for y is encoded in some way in the compressed representation

There are a few undesirable properties of the above representation:
The requirement to store one bit to identify the 'y' means that the whole byte is required.
For most well-known elliptic curves the extra byte removes the power of two alignment for the encoded point.
The requirement for the balanced security calls for
the ECC curve size to be equal the hash output size, yet the storage length of the ECC point is equal to the hash output size + 1.
The encoded point is not a multi-precision integer, but a structured sequence of bytes. For example, special wording is
required to define the encoding of the P-521 to clarify how odd number of bits for x and y, or a bit representing y,
are packed into bytes.
Some protocols, such as ECDH, don't depend on the exact value of the y. It is unnecessary
to track the precise point P=(x,y) in such protocols.

This document is an improvement to the idea by to not transmit the y coordinate of an ECC point in the
elliptic curve Diffie-Hellman (ECDH) protocol.
We will use the following notations for the ECC point Q and the features of the corresponding elliptic curve:
Q = k*G, where
Q = (x,y) is the point on an elliptic curve (the canonical represenation)
k - the private key (a scalar)
G - the elliptic curve generator point
y^2 = x^3 + a*x + b is the standard Weierstrass equation linking x and y
p - the order of the underlying finite field to which x and y belong
Ord - the order of the elliptic curve field, i.e. the number of points on the curve ( Ord*G = O, where O is the identity element )

Q is a point that we need to represent in the compact form.
The integer operations considered in this document are performed modulo prime p and "(mod p)" is assumed in every formula with x and y.
The steps to create and interpret the compact representation of a point are described next. A special key generation algorithm
is needed to make them possible, defined later in .
Given the canonical representation of Q=(x,y), return the x as the compact representation.
Given the compact representation of Q, return canonical representation of Q=(x,y) as follows:
y' = sqrt( x^3 + a*x + b ), where y'>0
y = min(y',p-y')
Q=(x,y) is the canonical representation of the point

Recall that the x is an integer in the underlying finite field.
Its precise encoding SHOULD be consistent with encoding of other multi-precision integers in the application, for example, it would
be the same encoding as used for the r or s integer that is a part of the DSA signature and it is typically a sequence of big-endian bytes.
The efficient algorithm to recover y for or the Brainpool curves ,
among others, is given in .
min(y,p-y) can be calculated with the help of the pre-calculated value p2=(p-1)/2. min(y,p-y) is y if y<p2 and p-y otherwise.
The efficient encoding and decoding algorithms are possible with the special key generation algorithm, defined next.
This document specifies two algorithms, called the "black box" and the "deterministic" key generation algorithms,
to generate a key pair {k, Q=k*G=(x,y)}, where k is the private key and Q=(x,y) is the public key.
A key pair generated according to the requirements in this section is called a compliant key pair, and the public key of such a key pair --
a compliant public key. A compliant public key Q=(x,y) allows compact representation as x, as defined in .
Both key generation algorithms can be built with any general purpose key generation algorithm which would be needed in any ECC implementation that generates
keys, regardless of the support for any method defined in this document.
Such a general purpose key generation algorithm is referred in this section as "KG".
The black box algorithm works in scenarios when the KG doesn't allow any adjustments to the private key.
The disadvantage of this algorithm is that multiple KGs may be needed to generate a single key pair {k, Q}.
The deterministic algorithm is similar, except that it is allowed to perform a simple and fast modification to the
private key after the KG. The advantage of the second algorithm is performance, in particular, the guarantee that only a single KG is needed.
The following algorithm calculates a key pair {k, Q=k*G=(x,y)}, where k is the private key and Q=(x,y) is the public key.
Generate a key pair {k, Q=k*G=(x,y)} with KG
if( y != min(y,p-y) ) goto step 1
output {k, Q=(x,y)} as a key pair

Note that the step 1 is a general purpose key generation algorithm, such as an algorithm compliant with .
Step 1 assumes neither changes to existing key generation methods nor access to the private key in clear.
The expected number of iterations in the loop in the above algorithm is 2.
The step 2 is not needed for the ECDH keys.
The following algorithm calculates a key pair {k, Q=k*G=(x,y)}, where k is the private key and Q=(x,y) is the public key.
Generate a key pair {k, Q=k*G=(x,y)} with KG
if( y != min(y,p-y) ) k = Ord - k
output {k, Q=(x,y)} as a key pair

The step 2 is not needed for the ECDH keys.
When p = 4*k+3, as is the case of the Brainpool curves ,
there is an efficient square root algorithm to recover the y, as follows:
Given the compact representation of Q as x,
y2 = x^3 + a*x + b
y' = y2^((p+1)/4)
y = min(y',p-y')
Q=(x,y) is the canonical representation of the point

See for details.
The compact representation described in this document allows two-phase introduction.
First, key pairs must be generated as defined in to allow compact representation. However,
no changes to existing systems are needed to use these keys.
This allows safe deployment of the new key generation and decoding of compact representation.
Finally, the encoding of public keys in the new compact representation format can be enabled after there is confidence in the universal
support of new compact representation.
This event would not need to change any private key material, only public key representation.
The above two phases can be implemented at once for new formats.
Most ECC cryptographic protocols, such as ECDH or ECDSA , are intended to work
with persistently stored
public keys that are
generated as fresh key pairs, as opposed to some derivation function that transforms an ECC point. The algorithm described in
is possible in all these cases.
In particular, the algorithm in will even work for secure devices that never reveal the private key, such as smartcards or
Hardware Security Modules. A public key that is generated according to the can be used without limitations in existing protocols that
use ECC points encoded in other ways, such as , with compression or not, with the added advantage that the keys
generated according to the method in will allow the encoding.
This document defines the low-level format that may be suitable for a wide range of applications. However, it is responsibility of the application that adopts this format
to define the IDs that will enable the ECC compact point representation in that application.
A new ID may not be always necessary. For example, an application that currently allows the encoding may allow the compact representation defined
in this document as an extension to the as follows. Consider the encoding of a compressed P-256 point, for example. The
compressed representation of a P-256 point will always occupy exactly 33 bytes. On the other hand, the compact representation defined in this document
will never exceed 32 bytes (it may occupy fewer that 32 bytes when the most significant byte has happened to be zero). This size will allow reliable discrimination
between two encoding formats.
The key pair generation process in excludes exactly half of the points on the elliptic curve.
What is left is the subset of points suitable for compact representation.
The filtering of points is based on a public criteria that are applied to the public output of the ECC one-way function.
The set of Ord points on the elliptic curve can be subdivided as follows. First, remove the point O, which leaves Ord-1 points.
Of these points there are exactly (Ord-1)/2 points that have unique x coordinate. This document specifies
a method to form the (Ord-1)/2 of points, each having a unique x coordinate. These points are called compliant public
keys in .
For any two public keys P=(x,y) and P=(x,y') there is up to one bit of entropy in y' v.s. y and this information is public. This bit of entropy doesn't
contribute to the difficulty of the underlying hard problem of the ECC: the elliptic curve discrete logarithm problem (ECDLP).
It will be shown next that breaking the ECDLP with a key generated according to is not easier than
breaking the ECDLP with a key obtained through a standard key generation algorithm, referred to as the KG algorithm in the .
Let us assume that there is an algorithm A that solves the ECDLP for the KG. The algorithm A can be transformed into the algorithm A' as follows.
If P=(x,y) is a compliant public key, the ECDLP is solved with A for the point (x,y): the result is k, such that k*G=(x,y)
If P=(x,y) is not a compliant public key, the ECDLP is solved with A for the point (x,p-y); assuming the result produced by A is k,
the result produced by A' is set to (Ord-k). Note that (Ord-k)*G = (x,p).

A' is equivalent to A. The complexity of one additional substraction in the prime field is negligible even to the
complexity of a single elliptic curve addition. Observe that A' works on all public keys by performing the actual work only on compliant public keys.
If we now consider only the compliant public keys, which cuts the number of points in half, we observe that the ECDLP solving algorithm A' doesn't get to break
fewer public keys. This concludes the proof.
The same result can be observed based on the details of the current state of the art attacks on the ECDLP. These attacks use Pollard's rho algorithm, which uses
the collision search in the sequence(s) of generated points with the goal to produce the points P1=(x1,y1) and P2=(x2,y2), such that x1=x2 and y1=y2.
The match in the x coordinate is the sufficient event for the successful attack.
After this event has ocurred, the sequence(s) that led to x1=x2 collision can be adjusted in a constant number of steps to ensure that y1=y2,
if this is not already the case. Furthermore, collision search requires the storage of candidates for the collision. It's wasteful to store (x,y) v.s. storing x and only
calculating y when the collision in x is detected. Thus, the ECDLP attack does not benefit from the unpredictability of the y.
Finally, note that a common design feature of an ECDH-based system is not to depend on the y coordinate, such as the one defined in the .
Thus, the security of the system is unaffected if we fix either of the two possibilities for the point with the given x coordinate.
&RFC2119;
&RFC5639;
&RFC6090;
Use of elliptic curves in cryptography
Springer-Verlag New York, Inc.
Computer technology applied to the theory of numbers
The Mathematical Association of America (Incorporated)
NSA Suite B Cryptography
National Security Agency
Digital Signature Standard (DSS)
National Institute of Standards and Technology
SEC 1: Elliptic Curve Cryptography
STANDARDS FOR EFFICIENT CRYPTOGRAPHY
Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
National Institute of Standards and Technology
Recommendation for Cryptographic Key Generation
National Institute of Standards and Technology