I am working with a library that outputs EC points in uncompressed form. To save space, I'm considering modifying said library to use compressed EC points. Assuming that I keep track of the sign bit prior to compression, is there any risk in compressing said point?
I read this Q and related answer, but want to ensure that I may not be opening the door for other issues.
I would argue the opposite: it's safer to compress a point.
The reason is fairly simple. During decompression- whose most expensive operation is a modular square root - your are guaranteeing that the resulting point either is on the curve, zero or infinity.
One of the most frequent errors in elliptic curve operations is failing to properly validate a point before operating on it. The most public example of this is the Bluetooth pairing vulnerability - which, had it used compressed points, would not have been vulnerable to MITM attacks.
While validation is less expensive than decompression - it's one of those "seemingly optional" steps that people can forget to do. With compressed points there's no option.
You will need a quadratic non-residue in order to decompress the points, and
there is no known deterministic algorithm that will provably find one efficiently.
Also, if you allow both sign bits for $\: y=0 \:$ or the point-at-infinity,
then you will lose non-malleability and strong unforgeability.
