This is all about two helper methods called mbedtls_ecp_decompress() and mbedtls_ecp_compress(). They perform X25519 / Curve25519 point compression and decompression. This halves the length of the public key. mbedTLS will likely never support point decompression, as it is not mandated in the TLS specification.

EC crypto keys for TLS consist of concatenated x and y coordinates (hence a point), which makes them rather long to print out. But since the function is known, only x really needs to be transmitted. This can help to keep QR-Codes smaller, as less data needs to be transmitted.

For support of mbedTLS version < 3.0.0, check out an older commit.

Only curves 3 mod 4 are supported:

• secp521r1
• brainpoolP512r1
• secp384r1
• brainpoolP384r1
• secp256r1
• secp256k1
• brainpoolP256r1
• secp192r1
• secp192k1

See this post.

• Mbed-TLS/mbedtls#521
• https://crypto.stackexchange.com/questions/6777/how-to-calculate-y-value-from-yy-mod-prime-efficiently
• http://www.secg.org/SEC2-Ver-1.0.pdf