Add x-only ECDH functionality to ecdh module

sipa · sipa · commit b66e0d1ea226 · 2023-09-19T12:41:02.000-04:00
diff --git a/include/secp256k1_ecdh.h b/include/secp256k1_ecdh.h
@@ -25,6 +25,22 @@ typedef int (*secp256k1_ecdh_hash_function)(
   void *data
 );
 
+/** A pointer to a function that hashes an X coordinate to obtain an ECDH secret
+ *
+ *  Returns: 1 if the point was successfully hashed.
+ *           0 will cause secp256k1_ecdh_xonly to fail and return 0.
+ *           Other return values are not allowed, and the behaviour of
+ *           secp256k1_ecdh_xonly is undefined for other return values.
+ *  Out:     output:     pointer to an array to be filled by the function
+ *  In:      x32:        pointer to a 32-byte x coordinate
+ *           data:       arbitrary data pointer that is passed through
+ */
+typedef int (*secp256k1_ecdh_xonly_hash_function)(
+  unsigned char *output,
+  const unsigned char *x32,
+  void *data
+);
+
 /** An implementation of SHA256 hash function that applies to compressed public key.
  * Populates the output parameter with 32 bytes. */
 SECP256K1_API const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256;
@@ -33,6 +49,10 @@ SECP256K1_API const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sh
  * Populates the output parameter with 32 bytes. */
 SECP256K1_API const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default;
 
+/** An implementation of SHA256 hash function that applies to the X coordinate.
+ * Populates the output parameter with 32 bytes. */
+SECP256K1_API const secp256k1_ecdh_xonly_hash_function secp256k1_ecdh_xonly_hash_function_sha256;
+
 /** Compute an EC Diffie-Hellman secret in constant time
  *
  *  Returns: 1: exponentiation was successful
@@ -56,6 +76,33 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
   void *data
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Compute an EC X-only Diffie-Hellman secret in constant time
+ *
+ *  Returns: 1: exponentiation was successful
+ *           0: scalar was invalid (zero or overflow), input is not a valid X coordinate, or hashfp
+ *              returned 0.
+ *  Args:    ctx:        pointer to a context object.
+ *  Out:     output:     pointer to an array to be filled by hashfp.
+ *  In:      xpubkey:    a pointer to the 32-byte serialization of an x-only public key (see the
+ *                       extrakeys module for details).
+ *           seckey:     a 32-byte scalar with which to multiply the point.
+ *           hashfp:     pointer to a hash function. If NULL,
+ *                       secp256k1_ecdh_xonly+hash_function_sha256 is used
+ *                       (in which case, 32 bytes will be written to output).
+ *           data:       arbitrary data pointer that is passed through to hashfp
+ *                       (can be NULL for secp256k1_ecdh_xonly_hash_function_sha256).
+ *
+ * The function is constant time in seckey. It is not constant time in xpubkey, hashfp, or the output.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh_xonly(
+  const secp256k1_context* ctx,
+  unsigned char *output,
+  const unsigned char *xpubkey,
+  const unsigned char *seckey,
+  secp256k1_ecdh_xonly_hash_function hashfp,
+  void *data
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/modules/ecdh/main_impl.h b/src/modules/ecdh/main_impl.h
@@ -23,8 +23,20 @@ static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char
     return 1;
 }
 
+static int ecdh_xonly_hash_function_sha256(unsigned char *output, const unsigned char *x32, void *data) {
+    secp256k1_sha256 sha;
+    (void)data;
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, x32, 32);
+    secp256k1_sha256_finalize(&sha, output);
+
+    return 1;
+}
+
 const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256 = ecdh_hash_function_sha256;
 const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default = ecdh_hash_function_sha256;
+const secp256k1_ecdh_xonly_hash_function secp256k1_ecdh_xonly_hash_function_sha256 = ecdh_xonly_hash_function_sha256;
 
 int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const secp256k1_pubkey *point, const unsigned char *scalar, secp256k1_ecdh_hash_function hashfp, void *data) {
     int ret = 0;
@@ -68,4 +80,49 @@ int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const se
     return !!ret & !overflow;
 }
 
+int secp256k1_ecdh_xonly(const secp256k1_context* ctx, unsigned char *output, const unsigned char* xpubkey, const unsigned char *scalar, secp256k1_ecdh_xonly_hash_function hashfp, void *data) {
+    int ret;
+    int overflow;
+    secp256k1_fe x;
+    unsigned char x32[32];
+    secp256k1_scalar s;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output != NULL);
+    ARG_CHECK(xpubkey != NULL);
+    ARG_CHECK(scalar != NULL);
+
+    if (hashfp == NULL) {
+        hashfp = secp256k1_ecdh_xonly_hash_function_sha256;
+    }
+
+    if (!secp256k1_fe_set_b32_limit(&x, xpubkey)) {
+        /* X-only public key overflow, bail out early (we don't need to be constant time in pubkey). */
+        memset(output, 0, 32);
+        return 0;
+    }
+
+    secp256k1_scalar_set_b32(&s, scalar, &overflow);
+
+    overflow |= secp256k1_scalar_is_zero(&s);
+    secp256k1_scalar_cmov(&s, &secp256k1_scalar_one, overflow);
+
+    if (!secp256k1_ecmult_const_xonly(&x, &x, NULL, &s, 0)) {
+        /* Input is not a valid X coordinate, bail out early. */
+        memset(output, 0, 32);
+        return 0;
+    }
+
+    /* Compute a hash of the point */
+    secp256k1_fe_normalize(&x);
+    secp256k1_fe_get_b32(x32, &x);
+
+    ret = hashfp(output, x32, data);
+
+    memset(x32, 0, 32);
+    secp256k1_scalar_clear(&s);
+
+    return !!ret & !overflow;
+}
+
 #endif /* SECP256K1_MODULE_ECDH_MAIN_H */
