Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a standardized fixed-length encoding for EC public keys?

Tags:

I was wondering if there was (and I hope there is) a standard for public key size for ECDH (Elliptic Curve Diffie-Hellman) and ECDSA (Elliptic Curve Digital Signature Algorithm) for every curve type over prime fields (192, 224, 256, 384 and 521).

like image 544
ALOToverflow Avatar asked Jul 12 '11 13:07

ALOToverflow


People also ask

What is EC public key?

The ECPublicKey interface is used to verify signatures on signed data using the ECDSA algorithm and to generate shared secrets using the ECDH algorithm. An implementation of ECPublicKey interface must also implement the ECKey interface methods.

How does ECC calculate public key?

The public key is then calculated as [10]G . Here [10] means add the G itself 10 times G+G+G+G+G+G+G+G+G+G . Note that this is not an ordinary addition of tuples. It is an elliptic curve point addition based on the tangent and chord rule.

What is an EC private key?

An EC (Elliptic Curve) key-pair is a pair of a private and public key constructed from a given subgroup generator in a given elliptic curve group.

What is the minimum key size in elliptical curve cryptography ECC )?

It has been noted by the NSA that the encryption of a top-secret document by elliptic curve cryptography requires a key length of 384 bit.


1 Answers

If you use one of the "named curves" then the public key size is fixed and dependent on the "field size" of your underlying curve.

Compressed vs. uncompressed representation

Public key sizes further depend on whether the "uncompressed" representation or the "compressed" representation is used. In the uncompressed form, the public key size is equal to two times the field size (in bytes) + 1, in the compressed form it is field size + 1. So if your curve is defined on secp256r1 (also called NIST P-256 or X9.62 prime256v1), then the field size is 256 bits or 32 bytes. And therefore the public key would be exactly 65 bytes (32*2 +1) long in the uncompressed form and 33 bytes (32 +1) long in the compressed form.

The uncompressed form consists of an 0x04 (in analogy to the DER OCTET STRING tag) plus the concatenation of the big-endian binary representation of the x coordinate plus the binary representation of the y coordinate of the public point.

GF(p) case

If the underlying field is GF(p) where p is a a big prime (in the case of P-256, a 256-bit prime), then x and y can be thought of as elements from [0, p-1]. They are encoded in the usual way as ((log2(p)+1)/8)-byte integers, with the MSBs padded with zero if necessary.

GF(2^m) case

For GF(2^m) x and y can be thought of as polynomials a_0 + a_1x + a_2x^2 + ... + a_{m-1}x^{m-1} with coefficients a_i equal to either 0 or 1. Their binary representation is simply the concatenation of the coefficients.

Further reading

The exact details can be found in SEC1v2. (Especially section 2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion on pages 10 and 11.)

like image 116
emboss Avatar answered Sep 29 '22 16:09

emboss