1  /*************************************************************************
  2   * Written in 2024 by Sebastian Falbesoner                               *
  3   * To the extent possible under law, the author(s) have dedicated all    *
  4   * copyright and related and neighboring rights to the software in this  *
  5   * file to the public domain worldwide. This software is distributed     *
  6   * without any warranty. For the CC0 Public Domain Dedication, see       *
  7   * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
  8   *************************************************************************/
  9  
 10  /** This file demonstrates how to use the ElligatorSwift module to perform
 11   *  a key exchange according to BIP 324. Additionally, see the documentation
 12   *  in include/secp256k1_ellswift.h and doc/ellswift.md.
 13   */
 14  
 15  #include <stdio.h>
 16  #include <stdlib.h>
 17  #include <assert.h>
 18  #include <string.h>
 19  
 20  #include <secp256k1.h>
 21  #include <secp256k1_ellswift.h>
 22  
 23  #include "examples_util.h"
 24  
 25  int main(void) {
 26      secp256k1_context* ctx;
 27      unsigned char randomize[32];
 28      unsigned char auxrand1[32];
 29      unsigned char auxrand2[32];
 30      unsigned char seckey1[32];
 31      unsigned char seckey2[32];
 32      unsigned char ellswift_pubkey1[64];
 33      unsigned char ellswift_pubkey2[64];
 34      unsigned char shared_secret1[32];
 35      unsigned char shared_secret2[32];
 36      int return_val;
 37  
 38      /* Create a secp256k1 context */
 39      ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
 40      if (!fill_random(randomize, sizeof(randomize))) {
 41          printf("Failed to generate randomness\n");
 42          return EXIT_FAILURE;
 43      }
 44      /* Randomizing the context is recommended to protect against side-channel
 45       * leakage. See `secp256k1_context_randomize` in secp256k1.h for more
 46       * information about it. This should never fail. */
 47      return_val = secp256k1_context_randomize(ctx, randomize);
 48      assert(return_val);
 49  
 50      /*** Generate secret keys ***/
 51      if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) {
 52          printf("Failed to generate randomness\n");
 53          return EXIT_FAILURE;
 54      }
 55      /* If the secret key is zero or out of range (greater than secp256k1's
 56      * order), we fail. Note that the probability of this occurring is negligible
 57      * with a properly functioning random number generator. */
 58      if (!secp256k1_ec_seckey_verify(ctx, seckey1) || !secp256k1_ec_seckey_verify(ctx, seckey2)) {
 59          printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
 60          return EXIT_FAILURE;
 61      }
 62  
 63      /* Generate ElligatorSwift public keys. This should never fail with valid context and
 64         verified secret keys. Note that providing additional randomness (fourth parameter) is
 65         optional, but recommended. */
 66      if (!fill_random(auxrand1, sizeof(auxrand1)) || !fill_random(auxrand2, sizeof(auxrand2))) {
 67          printf("Failed to generate randomness\n");
 68          return EXIT_FAILURE;
 69      }
 70      return_val = secp256k1_ellswift_create(ctx, ellswift_pubkey1, seckey1, auxrand1);
 71      assert(return_val);
 72      return_val = secp256k1_ellswift_create(ctx, ellswift_pubkey2, seckey2, auxrand2);
 73      assert(return_val);
 74  
 75      /*** Create the shared secret on each side ***/
 76  
 77      /* Perform x-only ECDH with seckey1 and ellswift_pubkey2. Should never fail
 78       * with a verified seckey and valid pubkey. Note that both parties pass both
 79       * EllSwift pubkeys in the same order; the pubkey of the calling party is
 80       * determined by the "party" boolean (sixth parameter). */
 81      return_val = secp256k1_ellswift_xdh(ctx, shared_secret1, ellswift_pubkey1, ellswift_pubkey2,
 82          seckey1, 0, secp256k1_ellswift_xdh_hash_function_bip324, NULL);
 83      assert(return_val);
 84  
 85      /* Perform x-only ECDH with seckey2 and ellswift_pubkey1. Should never fail
 86       * with a verified seckey and valid pubkey. */
 87      return_val = secp256k1_ellswift_xdh(ctx, shared_secret2, ellswift_pubkey1, ellswift_pubkey2,
 88          seckey2, 1, secp256k1_ellswift_xdh_hash_function_bip324, NULL);
 89      assert(return_val);
 90  
 91      /* Both parties should end up with the same shared secret */
 92      return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1));
 93      assert(return_val == 0);
 94  
 95      printf(  "     Secret Key1: ");
 96      print_hex(seckey1, sizeof(seckey1));
 97      printf(  "EllSwift Pubkey1: ");
 98      print_hex(ellswift_pubkey1, sizeof(ellswift_pubkey1));
 99      printf("\n     Secret Key2: ");
100      print_hex(seckey2, sizeof(seckey2));
101      printf(  "EllSwift Pubkey2: ");
102      print_hex(ellswift_pubkey2, sizeof(ellswift_pubkey2));
103      printf("\n   Shared Secret: ");
104      print_hex(shared_secret1, sizeof(shared_secret1));
105  
106      /* This will clear everything from the context and free the memory */
107      secp256k1_context_destroy(ctx);
108  
109      /* It's best practice to try to clear secrets from memory after using them.
110       * This is done because some bugs can allow an attacker to leak memory, for
111       * example through "out of bounds" array access (see Heartbleed), or the OS
112       * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
113       *
114       * Here we are preventing these writes from being optimized out, as any good compiler
115       * will remove any writes that aren't used. */
116      secure_erase(seckey1, sizeof(seckey1));
117      secure_erase(seckey2, sizeof(seckey2));
118      secure_erase(shared_secret1, sizeof(shared_secret1));
119      secure_erase(shared_secret2, sizeof(shared_secret2));
120  
121      return EXIT_SUCCESS;
122  }