I was wondering if there was (and I hope there is) a standard for public key size for ECDH (Elliptic Curve Diffie-Hellman) and ECDSA (Elliptic Curve Digital Signature Algorithm) for every curve type over prime fields (192, 224, 256, 384 and 521).
The ECPublicKey interface is used to verify signatures on signed data using the ECDSA algorithm and to generate shared secrets using the ECDH algorithm. An implementation of ECPublicKey interface must also implement the ECKey interface methods.
The public key is then calculated as [10]G . Here [10] means add the G itself 10 times G+G+G+G+G+G+G+G+G+G . Note that this is not an ordinary addition of tuples. It is an elliptic curve point addition based on the tangent and chord rule.
An EC (Elliptic Curve) key-pair is a pair of a private and public key constructed from a given subgroup generator in a given elliptic curve group.
It has been noted by the NSA that the encryption of a top-secret document by elliptic curve cryptography requires a key length of 384 bit.
If you use one of the "named curves" then the public key size is fixed and dependent on the "field size" of your underlying curve.
Public key sizes further depend on whether the "uncompressed" representation or the "compressed" representation is used. In the uncompressed form, the public key size is equal to two times the field size (in bytes) + 1, in the compressed form it is field size + 1. So if your curve is defined on secp256r1
(also called NIST P-256
or X9.62 prime256v1
), then the field size is 256 bits or 32 bytes. And therefore the public key would be exactly 65 bytes (32*2 +1) long in the uncompressed form and 33 bytes (32 +1) long in the compressed form.
The uncompressed form consists of an 0x04 (in analogy to the DER OCTET STRING tag) plus the concatenation of the big-endian binary representation of the x coordinate plus the binary representation of the y coordinate of the public point.
If the underlying field is GF(p) where p is a a big prime (in the case of P-256, a 256-bit prime), then x and y can be thought of as elements from [0, p-1]. They are encoded in the usual way as ((log2(p)+1)/8)-byte integers, with the MSBs padded with zero if necessary.
For GF(2^m) x and y can be thought of as polynomials a_0 + a_1x + a_2x^2 + ... + a_{m-1}x^{m-1} with coefficients a_i equal to either 0 or 1. Their binary representation is simply the concatenation of the coefficients.
The exact details can be found in SEC1v2. (Especially section 2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion on pages 10 and 11.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With