Bitcoin Core  27.99.0
P2P Digital Currency
ecdh.c
Go to the documentation of this file.
1 /*************************************************************************
2  * Written in 2020-2022 by Elichai Turkel *
3  * To the extent possible under law, the author(s) have dedicated all *
4  * copyright and related and neighboring rights to the software in this *
5  * file to the public domain worldwide. This software is distributed *
6  * without any warranty. For the CC0 Public Domain Dedication, see *
7  * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
8  *************************************************************************/
9 
10 #include <stdio.h>
11 #include <assert.h>
12 #include <string.h>
13 
14 #include <secp256k1.h>
15 #include <secp256k1_ecdh.h>
16 
17 #include "examples_util.h"
18 
19 int main(void) {
20  unsigned char seckey1[32];
21  unsigned char seckey2[32];
22  unsigned char compressed_pubkey1[33];
23  unsigned char compressed_pubkey2[33];
24  unsigned char shared_secret1[32];
25  unsigned char shared_secret2[32];
26  unsigned char randomize[32];
27  int return_val;
28  size_t len;
29  secp256k1_pubkey pubkey1;
30  secp256k1_pubkey pubkey2;
31 
32  /* Before we can call actual API functions, we need to create a "context". */
34  if (!fill_random(randomize, sizeof(randomize))) {
35  printf("Failed to generate randomness\n");
36  return 1;
37  }
38  /* Randomizing the context is recommended to protect against side-channel
39  * leakage See `secp256k1_context_randomize` in secp256k1.h for more
40  * information about it. This should never fail. */
41  return_val = secp256k1_context_randomize(ctx, randomize);
42  assert(return_val);
43 
44  /*** Key Generation ***/
45 
46  /* If the secret key is zero or out of range (bigger than secp256k1's
47  * order), we try to sample a new key. Note that the probability of this
48  * happening is negligible. */
49  while (1) {
50  if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) {
51  printf("Failed to generate randomness\n");
52  return 1;
53  }
54  if (secp256k1_ec_seckey_verify(ctx, seckey1) && secp256k1_ec_seckey_verify(ctx, seckey2)) {
55  break;
56  }
57  }
58 
59  /* Public key creation using a valid context with a verified secret key should never fail */
60  return_val = secp256k1_ec_pubkey_create(ctx, &pubkey1, seckey1);
61  assert(return_val);
62  return_val = secp256k1_ec_pubkey_create(ctx, &pubkey2, seckey2);
63  assert(return_val);
64 
65  /* Serialize pubkey1 in a compressed form (33 bytes), should always return 1 */
66  len = sizeof(compressed_pubkey1);
67  return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey1, &len, &pubkey1, SECP256K1_EC_COMPRESSED);
68  assert(return_val);
69  /* Should be the same size as the size of the output, because we passed a 33 byte array. */
70  assert(len == sizeof(compressed_pubkey1));
71 
72  /* Serialize pubkey2 in a compressed form (33 bytes) */
73  len = sizeof(compressed_pubkey2);
74  return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey2, &len, &pubkey2, SECP256K1_EC_COMPRESSED);
75  assert(return_val);
76  /* Should be the same size as the size of the output, because we passed a 33 byte array. */
77  assert(len == sizeof(compressed_pubkey2));
78 
79  /*** Creating the shared secret ***/
80 
81  /* Perform ECDH with seckey1 and pubkey2. Should never fail with a verified
82  * seckey and valid pubkey */
83  return_val = secp256k1_ecdh(ctx, shared_secret1, &pubkey2, seckey1, NULL, NULL);
84  assert(return_val);
85 
86  /* Perform ECDH with seckey2 and pubkey1. Should never fail with a verified
87  * seckey and valid pubkey */
88  return_val = secp256k1_ecdh(ctx, shared_secret2, &pubkey1, seckey2, NULL, NULL);
89  assert(return_val);
90 
91  /* Both parties should end up with the same shared secret */
92  return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1));
93  assert(return_val == 0);
94 
95  printf("Secret Key1: ");
96  print_hex(seckey1, sizeof(seckey1));
97  printf("Compressed Pubkey1: ");
98  print_hex(compressed_pubkey1, sizeof(compressed_pubkey1));
99  printf("\nSecret Key2: ");
100  print_hex(seckey2, sizeof(seckey2));
101  printf("Compressed Pubkey2: ");
102  print_hex(compressed_pubkey2, sizeof(compressed_pubkey2));
103  printf("\nShared Secret: ");
104  print_hex(shared_secret1, sizeof(shared_secret1));
105 
106  /* This will clear everything from the context and free the memory */
108 
109  /* It's best practice to try to clear secrets from memory after using them.
110  * This is done because some bugs can allow an attacker to leak memory, for
111  * example through "out of bounds" array access (see Heartbleed), Or the OS
112  * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
113  *
114  * Here we are preventing these writes from being optimized out, as any good compiler
115  * will remove any writes that aren't used. */
116  secure_erase(seckey1, sizeof(seckey1));
117  secure_erase(seckey2, sizeof(seckey2));
118  secure_erase(shared_secret1, sizeof(shared_secret1));
119  secure_erase(shared_secret2, sizeof(shared_secret2));
120 
121  return 0;
122 }
int main(void)
Definition: ecdh.c:19
static int fill_random(unsigned char *data, size_t size)
Definition: examples_util.h:43
static void secure_erase(void *ptr, size_t len)
Definition: examples_util.h:86
static void print_hex(unsigned char *data, size_t size)
Definition: examples_util.h:72
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1077
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:187
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:768
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:280
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:590
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:205
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:613
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:141
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:215
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(const secp256k1_context *ctx, unsigned char *output, const secp256k1_pubkey *pubkey, const unsigned char *seckey, secp256k1_ecdh_hash_function hashfp, void *data) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Compute an EC Diffie-Hellman secret in constant time.
Definition: main_impl.h:29
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
assert(!tx.IsCoinBase())