Forming ECC key (TLS) in X9.63 format

kw flag

I am studying TLS handshaking by example a program tlse, which uses libtomcrypt library.
I see that in line 5236 (link above) the program call libtomcrypt procedure ecc_ansi_x963_export(context->ecc_dhe, out, &out_len) .
I see that the procedure forms a ECC key in the buffer out and add it to client "key_share" extension in the line 5248.

My question is: what is the format X9.63 ? Does it specifies a format of ECC key - bytes in the big endian order or something else ? (unfortunately, I'm confused in terminology - could you explain it to me)

Maarten Bodewes avatar
in flag
It's probably just the encoding of the **public key point**. The public point is usually encoded as a binary array starting with a byte starting with `0x02`, `0x03` or `0x04`. The first two indicate a compressed point (one additional bit is required for calculating the $y$ value from the $x$ value), and `0x04` is to indicate an uncompressed point containing both. The coordinates $x$ and $y$ are encoded in a statically sized big integer value; the size is the same as the key size in bytes. Please include the result in `out` in hexadecimals, as the public key point may be ASN.1 DER encoded too.
dave_thompson_085 avatar
cn flag
@MaartenBodewes: TLS1.3 allows only (the equivalent of) uncompressed, and wraps the result in TLS format not DER (in contrast to e.g. PKIX certs)
cn flag

The official X9.63 format is the same as the X9.62 format (which is now withdrawn, but memorialized other places including SEC1) and actually had three forms -- uncompressed, compressed, and hybrid -- plus a special case for the identity element, commonly called the 'point at infinity' when affine coordinates are used, as they are for Weierstrass curve form in X9. In practice nobody used hybrid form and nobody wants to use (thus encode) the identity element, so e.g. rfc5480 for a PKIX certificate and rfc5656 for SSH2 both reference SEC1.

However, key_share in TLS1.3 is a little different. It redefines, using the TLS notation, the equivalent of uncompressed form only -- one byte 04, fixed-length big-endian unsigned x and y -- not allowing compressed form. In contrast ECC in TLS1.0-1.2 defined ECPoint used for server public-key and optionally for explicit curve parameters (which pretty much nobody ever used and were removed in TLS1.3) and client public-key by reference to X9.62 and allowed uncompressed or optionally compressed subject to the "supported point formats" negotiated in the Hello exchange.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.