src/modules/ecdh/main_impl.h

   1 /**********************************************************************
   2  * Copyright (c) 2015 Andrew Poelstra                                 *
   3  * Distributed under the MIT software license, see the accompanying   *
   4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
   5  **********************************************************************/
   6
   7 #ifndef SECP256K1_MODULE_ECDH_MAIN_H
   8 #define SECP256K1_MODULE_ECDH_MAIN_H
   9
  10 #include "include/secp256k1_ecdh.h"
  11 #include "ecmult_const_impl.h"
  12
  13 int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *result, const secp256k1_pubkey *point, const unsigned char *scalar) {
  14     int ret = 0;
  15     int overflow = 0;
  16     secp256k1_gej res;
  17     secp256k1_ge pt;
  18     secp256k1_scalar s;
  19     VERIFY_CHECK(ctx != NULL);
  20     ARG_CHECK(result != NULL);
  21     ARG_CHECK(point != NULL);
  22     ARG_CHECK(scalar != NULL);
  23
  24     secp256k1_pubkey_load(ctx, &pt, point);
  25     secp256k1_scalar_set_b32(&s, scalar, &overflow);
  26     if (overflow || secp256k1_scalar_is_zero(&s)) {
  27         ret = 0;
  28     } else {
  29         unsigned char x[32];
  30         unsigned char y[1];
  31         secp256k1_sha256_t sha;
  32
  33         secp256k1_ecmult_const(&res, &pt, &s);
  34         secp256k1_ge_set_gej(&pt, &res);
  35         /* Compute a hash of the point in compressed form
  36          * Note we cannot use secp256k1_eckey_pubkey_serialize here since it does not
  37          * expect its output to be secret and has a timing sidechannel. */
  38         secp256k1_fe_normalize(&pt.x);
  39         secp256k1_fe_normalize(&pt.y);
  40         secp256k1_fe_get_b32(x, &pt.x);
  41         y[0] = 0x02 | secp256k1_fe_is_odd(&pt.y);
  42
  43         secp256k1_sha256_initialize(&sha);
  44         secp256k1_sha256_write(&sha, y, sizeof(y));
  45         secp256k1_sha256_write(&sha, x, sizeof(x));
  46         secp256k1_sha256_finalize(&sha, result);
  47         ret = 1;
  48     }
  49
  50     secp256k1_scalar_clear(&s);
  51     return ret;
  52 }
  53
  54 #endif /* SECP256K1_MODULE_ECDH_MAIN_H */