Expose API for constant time point multiplication

apoelstra · apoelstra · commit 171470e8405e · 2015-07-02T16:53:17.000-05:00
diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -217,6 +217,24 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover_compact(
   int recid
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
+/** Compute an EC Diffie-Hellman secret in constant time
+ *  Returns: 1: exponentiation was successful
+ *          -1: scalar was zero
+ *          -2: scalar overflow
+ *          -3: invalid input point
+ *  In:      scalar:   a 32-byte scalar with which to multiply the point
+ *           point:    pointer to 33 or 65 byte array containing an EC point
+ *           pointlen: length of the point array
+ *  Out:     result:   a 32-byte array which will be populated by an ECDH
+ *                     secret computed from the point and scalar
+ */
+SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
+  unsigned char *result,
+  unsigned char *point,
+  int *pointlen,
+  const unsigned char *scalar
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 /** Verify an ECDSA secret key.
  *  Returns: 1: secret key is valid
  *           0: secret key is invalid
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -225,6 +225,50 @@ int secp256k1_ecdsa_recover_compact(const secp256k1_context_t* ctx, const unsign
     return ret;
 }
 
+int secp256k1_ecdh(unsigned char *result, unsigned char *point, int *pointlen, const unsigned char *scalar) {
+    int ret = 0;
+    int overflow = 0;
+    secp256k1_gej_t res;
+    secp256k1_ge_t pt;
+    secp256k1_scalar_t s;
+    DEBUG_CHECK(point != NULL);
+    DEBUG_CHECK(pointlen != NULL);
+    DEBUG_CHECK(scalar != NULL);
+
+    if (secp256k1_eckey_pubkey_parse(&pt, point, *pointlen)) {
+        secp256k1_scalar_set_b32(&s, scalar, &overflow);
+        if (secp256k1_scalar_is_zero(&s)) {
+            ret = -1;
+        } else if (overflow) {
+            ret = -2;
+        } else {
+            unsigned char x[32];
+            unsigned char y[1];
+            secp256k1_sha256_t sha;
+
+            secp256k1_point_multiply(&res, &pt, &s);
+            secp256k1_ge_set_gej(&pt, &res);
+            /* Compute a hash of the point in compressed form
+             * Note we cannot use secp256k1_eckey_pubkey_serialize here since it does not
+             * expect its output to be secret and has a timing sidechannel. */
+            secp256k1_fe_normalize(&pt.x);
+            secp256k1_fe_normalize(&pt.y);
+            secp256k1_fe_get_b32(x, &pt.x);
+            y[0] = 0x02 | secp256k1_fe_is_odd(&pt.y);
+
+            secp256k1_sha256_initialize(&sha);
+            secp256k1_sha256_write(&sha, y, sizeof(y));
+            secp256k1_sha256_write(&sha, x, sizeof(x));
+            secp256k1_sha256_finalize(&sha, result);
+            ret = 1;
+        }
+    } else {
+        ret = -3;
+    }
+    secp256k1_scalar_clear(&s);
+    return ret;
+}
+
 int secp256k1_ec_seckey_verify(const secp256k1_context_t* ctx, const unsigned char *seckey) {
     secp256k1_scalar_t sec;
     int ret;
diff --git a/src/tests.c b/src/tests.c
@@ -1348,13 +1348,50 @@ void ecdh_chain_multiply(void) {
     ge_equals_gej(&res, &expected_point);
 }
 
+void ecdh_generator_basepoint(void) {
+    secp256k1_ge_t gen = secp256k1_ge_const_g;
+    unsigned char point[33];
+    unsigned char point2[33];
+    int pointlen = sizeof(point), point2len = sizeof(point2);
+    int i;
+
+    /* Check against pubkey creation when the basepoint is the generator */
+    for (i = 0; i < 100; ++i) {
+        secp256k1_sha256_t sha;
+        unsigned char s_b32[32];
+        unsigned char output_ecdh[32];
+        unsigned char output_ser[32];
+        secp256k1_scalar_t s;
+
+        random_scalar_order(&s);
+        secp256k1_scalar_get_b32(s_b32, &s);
+
+        /* compute using ECDH function */
+        secp256k1_eckey_pubkey_serialize(&gen, point, &pointlen, 1);
+        CHECK(secp256k1_ecdh(output_ecdh, point, &pointlen, s_b32) == 1);
+        /* compute "explicitly" */
+        secp256k1_eckey_pubkey_serialize(&gen, point2, &point2len, 1);
+        CHECK(secp256k1_ec_pubkey_create(ctx, point2, &point2len, s_b32, 1) == 1);
+
+        secp256k1_sha256_initialize(&sha);
+        secp256k1_sha256_write(&sha, point2, sizeof(point2));
+        secp256k1_sha256_finalize(&sha, output_ser);
+        /* compare */
+        CHECK(memcmp(output_ecdh, output_ser, sizeof(output_ser)) == 0);
+    }
+}
+
 void run_ecdh_tests(void) {
     ecdh_mult_zero_one();
     ecdh_random_mult();
     ecdh_commutativity();
     ecdh_chain_multiply();
 }
 
+void run_ecdh_api_tests(void) {
+    ecdh_generator_basepoint();
+}
+
 /***** ECMULT TESTS *****/
 
 void run_ecmult_chain(void) {
@@ -2448,6 +2485,7 @@ int main(int argc, char **argv) {
 
     /* ecdh tests */
     run_ecdh_tests();
+    run_ecdh_api_tests();
 
     /* ecdsa tests */
     run_random_pubkeys();
