In public-key cryptography, key agreement allows two parties to securely establish a shared secret key. Importantly, the parties are not required to have any shared information in advance of the key agreement protocol. Typically both parties have a certificate, issued by a mutually trusted party called a CA (a certificate authority). The certificate binds the identity of each party to their public key, to assure the other party that the correct public key is being used in the key agreement protocol. Traditionally, a public-key certificate for the party U consists of the CA's signature on U's public key, their identity, and some additional information. In an implicit certificate scheme, the certificate consists of a value, denoted PU, that is jointly computed by the CA and U, along with some additional information, denoted IU. The certificate is denoted certU=(PU, IU). The public key, denoted QU, can be derived by anyone from certU and the CA's public key, and public parameters. The security of the scheme ensures that only U will know the secret key associated with the public key derived from certU. Examples of traditional (explicit) certificates are X.509 certificates signed with, for example, Elliptic Curve Digital Signature Algorithm (ECDSA). An example of implicit certificate scheme is Elliptic Curve Qu-Vanstone (ECQV).