Quiz Entry - updated: 2026.07.14
True or false: "After an EC-DH key exchange, both parties should use both the x- AND y-coordinate of the shared point as the symmetric key."
False — only the x-coordinate is used as the shared symmetric key. Using the y-coordinate would leak information and is explicitly discouraged.
Why only the x-coordinate:
- For any x-coordinate on the curve, there are at most two possible y-values: $y$ and $p - y$
- If an attacker somehow learns the y-coordinate, they immediately know the x-coordinate too (since they're related by the curve equation)
- Using only $x$ provides a clean, well-defined shared secret
- The y-coordinate adds no additional entropy — knowing $x$ narrows $y$ to two values
In practice:
- The shared point $K = a \cdot B = b \cdot A$ has coordinates $(x_K, y_K)$
- The symmetric key is derived from $x_K$ only (typically through a key derivation function like HKDF)
- This is specified in standards like X25519, where the output is always just the x-coordinate
Common mistake: Students sometimes assume the entire point should be used as key material. In fact, only the x-coordinate is used as key material.
Go deeper:
Curve25519 — Wikipedia — X25519 works entirely with x-coordinates (the Montgomery ladder).
RFC 7748 — Elliptic curves for security (X25519/X448) — the standard x-coordinate-only scalar multiplication.