OpenBSD manual page server

Manual Page Search Parameters
EC_POINT_POINT2OCT(3) Library Functions Manual EC_POINT_POINT2OCT(3)

EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2pointencode and decode elliptic curve points

#include <openssl/bn.h>
#include <openssl/ec.h>

typedef enum {
	POINT_CONVERSION_COMPRESSED = 2,
	POINT_CONVERSION_UNCOMPRESSED = 4,
	POINT_CONVERSION_HYBRID = 6
} point_conversion_form_t;

size_t
EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx);

int
EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, const unsigned char *buf, size_t len, BN_CTX *ctx);

BIGNUM *
EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, BIGNUM *bn, BN_CTX *ctx);

EC_POINT *
EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx);

char *
EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, BN_CTX *ctx);

EC_POINT *
EC_POINT_hex2point(const EC_GROUP *group, const char *hex, EC_POINT *point, BN_CTX *ctx);

The ctx argument of all functions in this manual is optional.

An EC_POINT object represents a point on the elliptic curve given by an EC_GROUP object. It is either the point at infinity or it has a representation (x, y) in standard affine coordinates, in which case it satisfies the curve's Weierstrass equation

y^2 = x^3 + ax + b
in the prime field of size p. Thus, y is a square root of x^3 + ax + b. Since p > 3 is odd, p - y is another square root with different parity, unless y is zero. Point compression uses that x and the parity of y are enough to compute y using BN_mod_sqrt(3).

Field elements are represented as non-negative integers < p in big-endian 2-complement form, zero-padded on the left to the byte length l of p. If X and Y are the representations of x and y, respectively, and P is the parity bit of y, the three encodings of the point (x, y) are the byte strings:

Encoding 2+P || X 4 || X || Y 6+P || X || Y
Length 1 + l 1 + 2l 1 + 2l
where the first octet is the point conversion form combined with the parity bit in the compressed and hybrid encodings. The point at infinity is encoded as a single zero byte.

() converts point into the octet string encoding of type form. It assumes without checking that point is a point on the elliptic curve represented by group and operates in two modes depending on the buf argument. If buf is NULL, EC_POINT_point2oct() returns the length of point's encoding of type form and ignores the len and ctx arguments. If buf is not NULL and its length len is sufficiently big, EC_POINT_point2oct(3) writes the point's encoding of type form to buf and returns the number of bytes written. Unless point is the point at infinity, the coordinates to be encoded are calculated using EC_POINT_get_affine_coordinates(3).

() decodes the octet string representation of a point on group in buf of size len and, if it represents a point on group, sets it on the caller-provided point using EC_POINT_set_to_infinity(3) EC_POINT_set_compressed_coordinates(3), or EC_POINT_set_affine_coordinates(3). For hybrid encoding the consistency of the parity bit in the leading octet is verified.

() returns a BIGNUM containing the encoding of type form of the point on group. If bn is NULL, this BIGNUM is newly allocated, otherwise the result is copied into bn and returned. EC_POINT_point2bn() is equivalent to EC_POINT_point2oct() followed by BN_bin2bn(3).

() assumes that bn contains the encoding of a point on group. If point is NULL, the result is placed in a newly allocated EC_POINT, otherwise the result is placed in point which is then returned. EC_POINT_bn2point() is equivalent to BN_bn2bin(3) followed by EC_POINT_oct2point().

() returns a printable string containing the hexadecimal encoding of the point encoding of type form of the point on group. The string must be freed by the caller using free(3). EC_POINT_point2hex() is equivalent to EC_POINT_point2bn() followed by (3).

() interprets hex as a hexadecimal encoding of the point encoding of a point on group. If point is NULL, the result is returned in a newly allocated EC_POINT, otherwise the result is copied into point, which is then returned. EC_POINT_hex2point() is equivalent to BN_hex2bn(3) followed by EC_POINT_bn2point().

If buf is NULL, EC_POINT_point2oct() returns the length needed to encode the point on group, or 0 on error. If buf is not NULL, EC_POINT_point2oct() returns the number of bytes written to buf or 0 on error. Error conditions include that form is invalid, len is too small, and memory allocation failure.

EC_POINT_oct2point() returns 1 on success and 0 on error. Error conditions include invalid encoding, buf does not represent a point on group, or memory allocation failure.

EC_POINT_point2bn() returns a BIGNUM containing the encoding of point or NULL on error. The returned BIGNUM is either bn or a newly allocated one which must be freed by the caller. Error conditions include those of EC_POINT_point2oct(), BN_bn2bin(3), or memory allocation failure.

EC_POINT_bn2point() returns an EC_POINT corresponding to the encoding in bn or NULL on error. The returned EC_POINT is either point or a newly allocated one which must be freed by the caller. Error conditions include those of BN_bn2bin(3), EC_POINT_oct2point(), or memory allocation failure.

EC_POINT_point2hex() returns a newly allocated string or NULL on error. Error conditions include those of EC_POINT_point2bn() or BN_bn2hex(3).

EC_POINT_hex2point() returns an EC_POINT containing the decoded point on group or NULL on error. The returned EC_POINT is either point or a newly allocated one which must be freed by the caller. Error conditions are those of BN_hex2bn(3), or EC_POINT_bn2point().

BN_mod_sqrt(3), BN_new(3), BN_num_bits(3), crypto(3), d2i_ECPKParameters(3), EC_GROUP_check(3), EC_GROUP_get_curve_name(3), EC_GROUP_new_by_curve_name(3), EC_GROUP_new_curve_GFp(3), EC_KEY_METHOD_new(3), EC_KEY_new(3), EC_POINT_add(3), EC_POINT_get_affine_coordinates(3), EC_POINT_new(3), ECDH_compute_key(3), ECDSA_SIG_new(3)

SEC 1: Elliptic Curve Cryptography, Version 2.0, https://www.secg.org/sec1-v2.pdf, May 21, 2009.

EC_POINT_point2oct() and EC_POINT_oct2point() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2.

EC_POINT_point2bn(), EC_POINT_bn2point(), EC_POINT_point2hex(), and EC_POINT_hex2point() first appeared in OpenSSL 0.9.8 and have been available since OpenBSD 4.5.

The point_conversion_form_t is not properly exposed in the API. There is no representation for the point at infinity nor is there an API interface for the parity bit, forcing applications to invent their own and do bit twiddling in buffers.

The poorly chosen signatures of the functions in this manual result in an unergonomic API, particularly so for EC_POINT_point2oct() and EC_POINT_oct2point(). Due to fundamental misdesign in the EC library, points are not directly linked to the curve they live on. Adding checks that point lives on group is too expensive and intrusive, so it is and will continue to be easy to make the EC_POINT_point2* API output nonsense.

EC_POINT_point2bn() and EC_POINT_bn2point() make no sense. They abuse BIGNUM as a vector type, which is in poor taste.

EC_POINT_point2hex() and EC_POINT_hex2point() use a non-standard encoding format.

April 26, 2025 OpenBSD-current