1 /**********************************************************************
2 * Copyright (c) 2015 Andrew Poelstra *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #ifndef SECP256K1_MODULE_ECDH_MAIN_H
8 #define SECP256K1_MODULE_ECDH_MAIN_H
10 #include "include/secp256k1_ecdh.h"
11 #include "ecmult_const_impl.h"
13 int secp256k1_ecdh(const secp256k1_context
* ctx
, unsigned char *result
, const secp256k1_pubkey
*point
, const unsigned char *scalar
) {
19 VERIFY_CHECK(ctx
!= NULL
);
20 ARG_CHECK(result
!= NULL
);
21 ARG_CHECK(point
!= NULL
);
22 ARG_CHECK(scalar
!= NULL
);
24 secp256k1_pubkey_load(ctx
, &pt
, point
);
25 secp256k1_scalar_set_b32(&s
, scalar
, &overflow
);
26 if (overflow
|| secp256k1_scalar_is_zero(&s
)) {
31 secp256k1_sha256_t sha
;
33 secp256k1_ecmult_const(&res
, &pt
, &s
);
34 secp256k1_ge_set_gej(&pt
, &res
);
35 /* Compute a hash of the point in compressed form
36 * Note we cannot use secp256k1_eckey_pubkey_serialize here since it does not
37 * expect its output to be secret and has a timing sidechannel. */
38 secp256k1_fe_normalize(&pt
.x
);
39 secp256k1_fe_normalize(&pt
.y
);
40 secp256k1_fe_get_b32(x
, &pt
.x
);
41 y
[0] = 0x02 | secp256k1_fe_is_odd(&pt
.y
);
43 secp256k1_sha256_initialize(&sha
);
44 secp256k1_sha256_write(&sha
, y
, sizeof(y
));
45 secp256k1_sha256_write(&sha
, x
, sizeof(x
));
46 secp256k1_sha256_finalize(&sha
, result
);
50 secp256k1_scalar_clear(&s
);
54 #endif /* SECP256K1_MODULE_ECDH_MAIN_H */