Bitcoin Core  24.99.0
P2P Digital Currency
ecdh.c
Go to the documentation of this file.
1 /*************************************************************************
2  * Written in 2020-2022 by Elichai Turkel *
3  * To the extent possible under law, the author(s) have dedicated all *
4  * copyright and related and neighboring rights to the software in this *
5  * file to the public domain worldwide. This software is distributed *
6  * without any warranty. For the CC0 Public Domain Dedication, see *
7  * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
8  *************************************************************************/
9 
10 #include <stdio.h>
11 #include <assert.h>
12 #include <string.h>
13 
14 #include <secp256k1.h>
15 #include <secp256k1_ecdh.h>
16 
17 #include "random.h"
18 
19 
20 int main(void) {
21  unsigned char seckey1[32];
22  unsigned char seckey2[32];
23  unsigned char compressed_pubkey1[33];
24  unsigned char compressed_pubkey2[33];
25  unsigned char shared_secret1[32];
26  unsigned char shared_secret2[32];
27  unsigned char randomize[32];
28  int return_val;
29  size_t len;
30  secp256k1_pubkey pubkey1;
31  secp256k1_pubkey pubkey2;
32 
33  /* The specification in secp256k1.h states that `secp256k1_ec_pubkey_create`
34  * needs a context object initialized for signing, which is why we create
35  * a context with the SECP256K1_CONTEXT_SIGN flag.
36  * (The docs for `secp256k1_ecdh` don't require any special context, just
37  * some initialized context) */
39  if (!fill_random(randomize, sizeof(randomize))) {
40  printf("Failed to generate randomness\n");
41  return 1;
42  }
43  /* Randomizing the context is recommended to protect against side-channel
44  * leakage See `secp256k1_context_randomize` in secp256k1.h for more
45  * information about it. This should never fail. */
46  return_val = secp256k1_context_randomize(ctx, randomize);
47  assert(return_val);
48 
49  /*** Key Generation ***/
50 
51  /* If the secret key is zero or out of range (bigger than secp256k1's
52  * order), we try to sample a new key. Note that the probability of this
53  * happening is negligible. */
54  while (1) {
55  if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) {
56  printf("Failed to generate randomness\n");
57  return 1;
58  }
59  if (secp256k1_ec_seckey_verify(ctx, seckey1) && secp256k1_ec_seckey_verify(ctx, seckey2)) {
60  break;
61  }
62  }
63 
64  /* Public key creation using a valid context with a verified secret key should never fail */
65  return_val = secp256k1_ec_pubkey_create(ctx, &pubkey1, seckey1);
66  assert(return_val);
67  return_val = secp256k1_ec_pubkey_create(ctx, &pubkey2, seckey2);
68  assert(return_val);
69 
70  /* Serialize pubkey1 in a compressed form (33 bytes), should always return 1 */
71  len = sizeof(compressed_pubkey1);
72  return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey1, &len, &pubkey1, SECP256K1_EC_COMPRESSED);
73  assert(return_val);
74  /* Should be the same size as the size of the output, because we passed a 33 byte array. */
75  assert(len == sizeof(compressed_pubkey1));
76 
77  /* Serialize pubkey2 in a compressed form (33 bytes) */
78  len = sizeof(compressed_pubkey2);
79  return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey2, &len, &pubkey2, SECP256K1_EC_COMPRESSED);
80  assert(return_val);
81  /* Should be the same size as the size of the output, because we passed a 33 byte array. */
82  assert(len == sizeof(compressed_pubkey2));
83 
84  /*** Creating the shared secret ***/
85 
86  /* Perform ECDH with seckey1 and pubkey2. Should never fail with a verified
87  * seckey and valid pubkey */
88  return_val = secp256k1_ecdh(ctx, shared_secret1, &pubkey2, seckey1, NULL, NULL);
89  assert(return_val);
90 
91  /* Perform ECDH with seckey2 and pubkey1. Should never fail with a verified
92  * seckey and valid pubkey */
93  return_val = secp256k1_ecdh(ctx, shared_secret2, &pubkey1, seckey2, NULL, NULL);
94  assert(return_val);
95 
96  /* Both parties should end up with the same shared secret */
97  return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1));
98  assert(return_val == 0);
99 
100  printf("Secret Key1: ");
101  print_hex(seckey1, sizeof(seckey1));
102  printf("Compressed Pubkey1: ");
103  print_hex(compressed_pubkey1, sizeof(compressed_pubkey1));
104  printf("\nSecret Key2: ");
105  print_hex(seckey2, sizeof(seckey2));
106  printf("Compressed Pubkey2: ");
107  print_hex(compressed_pubkey2, sizeof(compressed_pubkey2));
108  printf("\nShared Secret: ");
109  print_hex(shared_secret1, sizeof(shared_secret1));
110 
111  /* This will clear everything from the context and free the memory */
113 
114  /* It's best practice to try to clear secrets from memory after using them.
115  * This is done because some bugs can allow an attacker to leak memory, for
116  * example through "out of bounds" array access (see Heartbleed), Or the OS
117  * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
118  *
119  * TODO: Prevent these writes from being optimized out, as any good compiler
120  * will remove any writes that aren't used. */
121  memset(seckey1, 0, sizeof(seckey1));
122  memset(seckey2, 0, sizeof(seckey2));
123  memset(shared_secret1, 0, sizeof(shared_secret1));
124  memset(shared_secret2, 0, sizeof(shared_secret2));
125 
126  return 0;
127 }
int main(void)
Definition: ecdh.c:20
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1079
static int fill_random(unsigned char *data, size_t size)
Definition: random.h:37
static void print_hex(unsigned char *data, size_t size)
Definition: random.h:66
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:706
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:246
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:528
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:551
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:205
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(const secp256k1_context *ctx, unsigned char *output, const secp256k1_pubkey *pubkey, const unsigned char *seckey, secp256k1_ecdh_hash_function hashfp, void *data) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Compute an EC Diffie-Hellman secret in constant time.
Definition: main_impl.h:29
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
static secp256k1_context * ctx
Definition: tests.c:34
assert(!tx.IsCoinBase())