Skip to content

fix: ensure matching ECDH shared secret #1747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

fix: ensure matching ECDH shared secret #1747

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1aba679
fix: ensure matching ECDH shared secret
mdqst Sep 14, 2025
8c9aa94
Update ecdh.c
mdqst Sep 15, 2025
603a0e9
Update ecdh.c
mdqst Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 21 additions & 22 deletions examples/ecdh.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,25 @@

#include "examples_util.h"

int extract_x_coordinate(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey, unsigned char x[32]) {
unsigned char serialized[33];
size_t len = sizeof(serialized);

if (!secp256k1_ec_pubkey_serialize(ctx, serialized, &len, pubkey, SECP256K1_EC_COMPRESSED))
return 0;

memcpy(x, serialized + 1, 32);
return 1;
}

int main(void) {
unsigned char seckey1[32];
unsigned char seckey2[32];
unsigned char compressed_pubkey1[33];
unsigned char compressed_pubkey2[33];
unsigned char shared_secret1[32];
unsigned char shared_secret2[32];
unsigned char x1[32], x2[32];
unsigned char randomize[32];
int return_val;
size_t len;
Expand All @@ -47,71 +59,58 @@ int main(void) {
printf("Failed to generate randomness\n");
return EXIT_FAILURE;
}
/* If the secret key is zero or out of range (greater than secp256k1's
* order), we fail. Note that the probability of this occurring is negligible
* with a properly functioning random number generator. */
if (!secp256k1_ec_seckey_verify(ctx, seckey1) || !secp256k1_ec_seckey_verify(ctx, seckey2)) {
printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
return EXIT_FAILURE;
}

/* Public key creation using a valid context with a verified secret key should never fail */
return_val = secp256k1_ec_pubkey_create(ctx, &pubkey1, seckey1);
assert(return_val);
return_val = secp256k1_ec_pubkey_create(ctx, &pubkey2, seckey2);
assert(return_val);

/* Serialize pubkey1 in a compressed form (33 bytes), should always return 1 */
len = sizeof(compressed_pubkey1);
return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey1, &len, &pubkey1, SECP256K1_EC_COMPRESSED);
assert(return_val);
/* Should be the same size as the size of the output, because we passed a 33 byte array. */
assert(len == sizeof(compressed_pubkey1));

/* Serialize pubkey2 in a compressed form (33 bytes) */
len = sizeof(compressed_pubkey2);
return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey2, &len, &pubkey2, SECP256K1_EC_COMPRESSED);
assert(return_val);
/* Should be the same size as the size of the output, because we passed a 33 byte array. */
assert(len == sizeof(compressed_pubkey2));

/*** Creating the shared secret ***/

/* Perform ECDH with seckey1 and pubkey2. Should never fail with a verified
* seckey and valid pubkey */
return_val = secp256k1_ecdh(ctx, shared_secret1, &pubkey2, seckey1, NULL, NULL);
assert(return_val);

/* Perform ECDH with seckey2 and pubkey1. Should never fail with a verified
* seckey and valid pubkey */
return_val = secp256k1_ecdh(ctx, shared_secret2, &pubkey1, seckey2, NULL, NULL);
assert(return_val);

/* Both parties should end up with the same shared secret */
return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1));
assert(return_val == 0);

assert(extract_x_coordinate(ctx, &pubkey1, x1));
assert(extract_x_coordinate(ctx, &pubkey2, x2));

printf("Secret Key1: ");
print_hex(seckey1, sizeof(seckey1));
printf("Compressed Pubkey1: ");
print_hex(compressed_pubkey1, sizeof(compressed_pubkey1));
printf("X-coordinate Pubkey1: ");
print_hex(x1, sizeof(x1));

printf("\nSecret Key2: ");
print_hex(seckey2, sizeof(seckey2));
printf("Compressed Pubkey2: ");
print_hex(compressed_pubkey2, sizeof(compressed_pubkey2));
printf("X-coordinate Pubkey2: ");
print_hex(x2, sizeof(x2));

printf("\nShared Secret: ");
print_hex(shared_secret1, sizeof(shared_secret1));

/* This will clear everything from the context and free the memory */
secp256k1_context_destroy(ctx);

/* It's best practice to try to clear secrets from memory after using them.
* This is done because some bugs can allow an attacker to leak memory, for
* example through "out of bounds" array access (see Heartbleed), or the OS
* swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
*
* Here we are preventing these writes from being optimized out, as any good compiler
* will remove any writes that aren't used. */
secure_erase(seckey1, sizeof(seckey1));
secure_erase(seckey2, sizeof(seckey2));
secure_erase(shared_secret1, sizeof(shared_secret1));
Expand Down