Score:0

# How to find $z$ when deserializing elliptic curve?

In §2.3.4 of Standards for Efficient Cryptography 1 (SEC 1), the authors define the following step in deserializing elliptic-curve points that were serialized in the format given in §2.3.3 (emphasis added):

2.4.3
If $$q = 2^m$$ and $$x_P\neq 0$$, compute the field element $$\beta=x_P+a+b x_P^{-2}$$ in $$\mathbb{F}_{2^m}$$, and find an element $$z=z_{m-1}x^{m-1}+\cdots+z_1 x+z_0$$ such that $$z^2+z=\beta$$ in $$\mathbb{F}_{2^m}$$. Output “invalid” and stop if no such $$z$$ exists, otherwise set $$y_P=x_Pz$$ in $$\mathbb{F}_{2^m}$$ if $$z_0=\tilde{y}_P$$, and set $$y_P=x_P{({z+1})}$$ in $$\mathbb{F}_{2^m}$$ if $$z_0\neq\tilde{y}_P$$.

What method can be used to compute $$z$$ in this context?

I think this is a dupe [Solving Quadratic equations in Galois Field (2^163)](https://crypto.stackexchange.com/q/21072/18298), of course if you need to find, use SageMath instead of solving by hand.
That answer gives formulas for some "trace" and "half-trace" values that may be *of use in* solving the equation $y^2 + xy = x^3 + x^2 + 1$ (which isn't quite the equation I'm trying to solve anyway), but then clarifies that, to actually *complete* the solution, I need to read some book that's not freely available without piracy. (The Google Books link he provides is dead as page 26 is no longer available in the free preview.) I don't regard that answer as satisfying my question.
Not as a direct answer to the question as-stated, but to [X-Y Problem](https://meta.stackexchange.com/questions/66377) it: so long as you're working with the Short Weierstrass form $$y^2=x^3+ax+b, which is the standard for all curves except the Bernstein ones; and even they [can be put in it](https://datatracker.ietf.org/doc/html/draft-struik-lwig-curve-representations-02#appendix-D.3)$$, you can use this decompression formula, which has nothing more convoluted than a modular square-root operation: $y=y'\cdot {-1}^{{y'}_0+\tilde{y}_P};y'=\sqrt{{x_P}^3-3x_P+b_E}$
^equation h/t [Helder Eijs](https://github.com/Legrandin/pycryptodome/blob/d8edf1a6a70d3a65dcda18ee24d96161525f2825/lib/Crypto/PublicKey/ECC.py#L878); it's unclear if it's his original work, though, as no citation was given in the source commit or changelog… if anyone knows prior art for that formula, I'd be interested to see it.
It is better to delete this and ask a new one, including the comments and the linked question so that it may get more attention...
I sit in a Tesla and translated this thread with Ai: