github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/examples/ellswift.c (about) 1 /************************************************************************* 2 * Written in 2024 by Sebastian Falbesoner * 3 * To the extent possible under law, the author(s) have dedicated all * 4 * copyright and related and neighboring rights to the software in this * 5 * file to the public domain worldwide. This software is distributed * 6 * without any warranty. For the CC0 Public Domain Dedication, see * 7 * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 * 8 *************************************************************************/ 9 10 /** This file demonstrates how to use the ElligatorSwift module to perform 11 * a key exchange according to BIP 324. Additionally, see the documentation 12 * in include/secp256k1_ellswift.h and doc/ellswift.md. 13 */ 14 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <assert.h> 18 #include <string.h> 19 20 #include <secp256k1.h> 21 #include <secp256k1_ellswift.h> 22 23 #include "examples_util.h" 24 25 int main(void) { 26 secp256k1_context* ctx; 27 unsigned char randomize[32]; 28 unsigned char auxrand1[32]; 29 unsigned char auxrand2[32]; 30 unsigned char seckey1[32]; 31 unsigned char seckey2[32]; 32 unsigned char ellswift_pubkey1[64]; 33 unsigned char ellswift_pubkey2[64]; 34 unsigned char shared_secret1[32]; 35 unsigned char shared_secret2[32]; 36 int return_val; 37 38 /* Create a secp256k1 context */ 39 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 40 if (!fill_random(randomize, sizeof(randomize))) { 41 printf("Failed to generate randomness\n"); 42 return EXIT_FAILURE; 43 } 44 /* Randomizing the context is recommended to protect against side-channel 45 * leakage. See `secp256k1_context_randomize` in secp256k1.h for more 46 * information about it. This should never fail. */ 47 return_val = secp256k1_context_randomize(ctx, randomize); 48 assert(return_val); 49 50 /*** Generate secret keys ***/ 51 if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) { 52 printf("Failed to generate randomness\n"); 53 return EXIT_FAILURE; 54 } 55 /* If the secret key is zero or out of range (greater than secp256k1's 56 * order), we fail. Note that the probability of this occurring is negligible 57 * with a properly functioning random number generator. */ 58 if (!secp256k1_ec_seckey_verify(ctx, seckey1) || !secp256k1_ec_seckey_verify(ctx, seckey2)) { 59 printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n"); 60 return EXIT_FAILURE; 61 } 62 63 /* Generate ElligatorSwift public keys. This should never fail with valid context and 64 verified secret keys. Note that providing additional randomness (fourth parameter) is 65 optional, but recommended. */ 66 if (!fill_random(auxrand1, sizeof(auxrand1)) || !fill_random(auxrand2, sizeof(auxrand2))) { 67 printf("Failed to generate randomness\n"); 68 return EXIT_FAILURE; 69 } 70 return_val = secp256k1_ellswift_create(ctx, ellswift_pubkey1, seckey1, auxrand1); 71 assert(return_val); 72 return_val = secp256k1_ellswift_create(ctx, ellswift_pubkey2, seckey2, auxrand2); 73 assert(return_val); 74 75 /*** Create the shared secret on each side ***/ 76 77 /* Perform x-only ECDH with seckey1 and ellswift_pubkey2. Should never fail 78 * with a verified seckey and valid pubkey. Note that both parties pass both 79 * EllSwift pubkeys in the same order; the pubkey of the calling party is 80 * determined by the "party" boolean (sixth parameter). */ 81 return_val = secp256k1_ellswift_xdh(ctx, shared_secret1, ellswift_pubkey1, ellswift_pubkey2, 82 seckey1, 0, secp256k1_ellswift_xdh_hash_function_bip324, NULL); 83 assert(return_val); 84 85 /* Perform x-only ECDH with seckey2 and ellswift_pubkey1. Should never fail 86 * with a verified seckey and valid pubkey. */ 87 return_val = secp256k1_ellswift_xdh(ctx, shared_secret2, ellswift_pubkey1, ellswift_pubkey2, 88 seckey2, 1, secp256k1_ellswift_xdh_hash_function_bip324, NULL); 89 assert(return_val); 90 91 /* Both parties should end up with the same shared secret */ 92 return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1)); 93 assert(return_val == 0); 94 95 printf( " Secret Key1: "); 96 print_hex(seckey1, sizeof(seckey1)); 97 printf( "EllSwift Pubkey1: "); 98 print_hex(ellswift_pubkey1, sizeof(ellswift_pubkey1)); 99 printf("\n Secret Key2: "); 100 print_hex(seckey2, sizeof(seckey2)); 101 printf( "EllSwift Pubkey2: "); 102 print_hex(ellswift_pubkey2, sizeof(ellswift_pubkey2)); 103 printf("\n Shared Secret: "); 104 print_hex(shared_secret1, sizeof(shared_secret1)); 105 106 /* This will clear everything from the context and free the memory */ 107 secp256k1_context_destroy(ctx); 108 109 /* It's best practice to try to clear secrets from memory after using them. 110 * This is done because some bugs can allow an attacker to leak memory, for 111 * example through "out of bounds" array access (see Heartbleed), or the OS 112 * swapping them to disk. Hence, we overwrite the secret key buffer with zeros. 113 * 114 * Here we are preventing these writes from being optimized out, as any good compiler 115 * will remove any writes that aren't used. */ 116 secure_erase(seckey1, sizeof(seckey1)); 117 secure_erase(seckey2, sizeof(seckey2)); 118 secure_erase(shared_secret1, sizeof(shared_secret1)); 119 secure_erase(shared_secret2, sizeof(shared_secret2)); 120 121 return EXIT_SUCCESS; 122 }