Add two more ECDH methods, so we have 3 ECDH methods (#7)

Author: Sajjon

Package.swift

@@ -5,12 +5,10 @@ import PackageDescription
 
 let package = Package(
     name: "K1",
-    
     platforms: [
       .macOS(.v11),
       .iOS(.v13),
     ],
-
     products: [
         .library(
             name: "K1",
@@ -19,12 +17,10 @@ let package = Package(
             ]
         ),
     ],
-
     dependencies: [
          // Only used by tests
         .package(url: "https://github.com/filom/ASN1Decoder", from: "1.8.0")
     ],
-
     targets: [
 
         // Target `libsecp256k1` https://github.com/bitcoin-core/secp256k1

Sources/K1/K1/K1/Error.swift

@@ -27,7 +27,7 @@ public extension K1 {
         case incorrectByteCountOfMessageToValidate
         case failedToCompressPublicKey
         case failedToUncompressPublicKey
-        
+        case failedToProduceSharedSecret
         case incorrectByteCountOfPublicKey(got: Int, acceptableLengths: [Int])
         case failedToParsePublicKeyFromBytes
         case failedToParseDERSignature

Sources/K1/K1/Keys/PrivateKey/PrivateKey/PrivateKey+Bridge+To+C.swift

@@ -35,7 +35,7 @@ extension Bridge {
             }
             nonceFunctionArbitraryBytes = [UInt8](nonceFunctionArbitraryData)
         }
-                
+        
         var signatureRecoverableBridgedToC = secp256k1_ecdsa_recoverable_signature()
 
         try Self.call(
@@ -81,7 +81,7 @@ extension Bridge {
             }
             nonceFunctionArbitraryBytes = [UInt8](nonceFunctionArbitraryData)
         }
-                
+        
         var signatureBridgedToC = secp256k1_ecdsa_signature()
 
         try Self.call(
@@ -96,7 +96,7 @@ extension Bridge {
                 nonceFunctionArbitraryBytes
             )
         }
-
+        
         return Data(
             bytes: &signatureBridgedToC.data,
             count: MemoryLayout.size(ofValue: signatureBridgedToC.data)
@@ -114,7 +114,7 @@ extension Bridge {
         var signatureOut = [UInt8](repeating: 0, count: 64)
 
         var keyPair = secp256k1_keypair()
-
+        
         try Self.call(
             ifFailThrow: .failedToInitializeKeyPairForSchnorrSigning
         ) { context in
@@ -140,31 +140,62 @@ extension Bridge {
                 auxilaryRandomBytes
             )
         }
-
+        
         var publicKey = secp256k1_xonly_pubkey()
-
+        
         try Self.call(
             ifFailThrow: .failedToSchnorrSignErrorGettingPubKeyFromKeyPair
         ) { context in
             secp256k1_keypair_xonly_pub(context, &publicKey, nil, &keyPair)
         }
-
+        
         try Self.call(
             ifFailThrow: .failedToSchnorrSignDigestDidNotPassVerification
         ) { context in
             secp256k1_schnorrsig_verify(context, &signatureOut, message, message.count, &publicKey)
         }
-
+        
         return Data(signatureOut)
     }
 
+    enum ECDHSerializeFunction {
+        
+        /// Using the `libsecp256k1` default behaviour, which is to SHA256 hash the compressed public key
+        case libsecp256kDefault
+        
+        /// Following the [ANSI X9.63][ansix963] standard
+        ///
+        /// [ansix963]: https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
+        case ansiX963
+        
+        /// Following no standard at all, does not hash the shared public point, and returns it in full.
+        case noHashWholePoint
+        
+        func hashfp() -> (Optional<@convention(c) (Optional<UnsafeMutablePointer<UInt8>>, Optional<UnsafePointer<UInt8>>, Optional<UnsafePointer<UInt8>>, Optional<UnsafeMutableRawPointer>) -> Int32>) {
+            switch self {
+            case .libsecp256kDefault: return secp256k1_ecdh_hash_function_default
+            case .ansiX963: return ecdh_skip_hash_extract_only_x
+            case .noHashWholePoint: return ecdh_skip_hash_extract_x_and_y
+            }
+        }
+        
+        var outputByteCount: Int {
+            switch self {
+            case .libsecp256kDefault: return K1.Curve.Field.byteCount
+            case .ansiX963: return K1.Curve.Field.byteCount
+            case .noHashWholePoint: return K1.Format.uncompressed.length
+            }
+        }
+    }
+    
     static func ecdh(
         publicKey publicKeyBytes: [UInt8],
-        privateKey: SecureBytes
+        privateKey: SecureBytes,
+        hashFp: ECDHSerializeFunction
     ) throws -> Data {
-
+        
         var publicKeyBridgedToC = secp256k1_pubkey()
-
+        
         try Self.call(ifFailThrow: .incorrectByteCountOfPublicKey(providedByteCount: publicKeyBytes.count)) { context in
             /* Parse a variable-length public key into the pubkey object. */
             secp256k1_ec_pubkey_parse(
@@ -174,10 +205,10 @@ extension Bridge {
                 publicKeyBytes.count
             )
         }
-
+        
         var sharedPublicPointBytes = [UInt8](
             repeating: 0,
-            count: K1.Format.uncompressed.length
+            count: hashFp.outputByteCount
         )
 
         try Self.call(
@@ -190,7 +221,7 @@ extension Bridge {
                 &sharedPublicPointBytes, // output
                 &publicKeyBridgedToC, // pubkey
                 privateKey.backing.bytes, // seckey
-                ecdh_skip_hash_extract_x_and_y, // hashfp
+                hashFp.hashfp(), // hashfp
                 nil // arbitrary data pointer that is passed through to hashfp
             )
         }
@@ -259,7 +290,7 @@ extension Bridge {
             message: message
         )
     }
-
+    
     /// Recover an ECDSA public key from a signature.
     static func _recoverPublicKey(
         rs rsData: Data,
@@ -312,13 +343,13 @@ extension Bridge {
             try Self.call(
                 ifFailThrow: .failedToSerializePublicKeyIntoBytes
             ) { context in
-               secp256k1_ec_pubkey_serialize(
-                context,
-                pubkeyBytes.baseAddress!,
-                &pubkeyBytesSerializedCount,
-                &publicKeyBridgedToC,
-                publicKeyFormat.rawValue
-               )
+                secp256k1_ec_pubkey_serialize(
+                    context,
+                    pubkeyBytes.baseAddress!,
+                    &pubkeyBytesSerializedCount,
+                    &publicKeyBridgedToC,
+                    publicKeyFormat.rawValue
+                )
             }
         }
         guard
@@ -327,7 +358,7 @@ extension Bridge {
         else {
             throw K1.Error.failedToSerializePublicKeyIntoBytes
         }
-  
+        
         return publicPointBytes
     }
 }
@@ -384,7 +415,7 @@ public extension ECDSASignatureNonRecoverable {
 }
 
 public extension K1.PrivateKey {
-
+    
     /// Produces a **recoverable** ECDSA signature.
     func ecdsaSignRecoverable<D: DataProtocol>(
         hashed message: D,
@@ -394,7 +425,7 @@ public extension K1.PrivateKey {
         let raw = try withSecureBytes {
             try Bridge.ecdsaSignRecoverable(message: messageBytes, privateKey: $0, mode: mode)
         }
-
+        
         return try ECDSASignatureRecoverable.init(rawRepresentation: raw)
     }
 
@@ -407,7 +438,7 @@ public extension K1.PrivateKey {
         let signatureData = try withSecureBytes { (secureBytes: SecureBytes) -> Data in
             try Bridge.ecdsaSignNonRecoverable(message: messageBytes, privateKey: secureBytes, mode: mode)
         }
-
+        
         return try ECDSASignatureNonRecoverable(
             rawRepresentation: signatureData
         )
@@ -421,12 +452,12 @@ public extension K1.PrivateKey {
         let signatureData = try withSecureBytes { (secureBytes: SecureBytes) -> Data in
             try Bridge.schnorrSign(message: message, privateKey: secureBytes, input: maybeInput)
         }
-
+        
         return try SchnorrSignature(
             rawRepresentation: signatureData
         )
     }
-
+    
     func ecdsaSignNonRecoverable<D: Digest>(
         digest: D,
         mode: ECDSASignatureNonRecoverable.SigningMode = .default
@@ -470,7 +501,7 @@ public extension K1.PrivateKey {
         try schnorrSign(digest: SHA256.hash(data: data), input: maybeInput)
     }
 
-  
+    
     func sign<S: ECSignatureScheme, D: DataProtocol>(
         hashed: D,
         scheme: S.Type,
@@ -487,28 +518,121 @@ public extension K1.PrivateKey {
         try S.Signature.by(signing: Array(digest), with: self, mode: mode)
     }
 
-      func sign<S: ECSignatureScheme, D: DataProtocol>(
-          unhashed: D,
-          scheme: S.Type,
-          mode: S.Signature.SigningMode
-      ) throws -> S.Signature {
-          try sign(
+    func sign<S: ECSignatureScheme, D: DataProtocol>(
+        unhashed: D,
+        scheme: S.Type,
+        mode: S.Signature.SigningMode
+    ) throws -> S.Signature {
+        try sign(
             hashed: Data(S.hash(unhashed: unhashed)),
             scheme: scheme,
             mode: mode
-          )
-      }
+        )
+    }
+}
+
+/// MARK: ECDH
+extension K1.PrivateKey {
 
-    /// Performs a key agreement with provided public key share.
-    ///
-    /// - Parameter publicKeyShare: The public key to perform the ECDH with.
-    /// - Returns: Returns the public point obtain by performing EC mult between
-    ///  this `privateKey` and `publicKeyShare`
-    /// - Throws: An error occurred while computing the shared secret
-    func sharedSecret(with publicKeyShare: K1.PublicKey) throws -> Data {
+    private func _ecdh(
+        publicKey: K1.PublicKey,
+        serializeOutputFunction hashFp: Bridge.ECDHSerializeFunction
+    ) throws -> Data {
         let sharedSecretData = try withSecureBytes { secureBytes in
-            try Bridge.ecdh(publicKey: publicKeyShare.uncompressedRaw, privateKey: secureBytes)
+            try Bridge.ecdh(
+                publicKey: publicKey.uncompressedRaw,
+                privateKey: secureBytes,
+                hashFp: hashFp
+            )
         }
         return sharedSecretData
     }
+    
+  
+
+    /// Computes a shared secret with the provided public key from another party,
+    /// returning only the `X` coordinate of the point, following [ANSI X9.63][ansix963] standards.
+    ///
+    /// This is one of three ECDH functions, this library vendors, all three versions
+    /// uses different serialization of the shared EC Point, specifically:
+    /// 1. SHA-256 hash the compressed point
+    /// 2. No hash, return point uncompressed
+    /// 3. No hash, return only the `X` coordinate of the point <- this function
+    ///
+    /// This function uses 3. i.e. no hash, and returns only the `X` coordinate of the point.
+    /// This is following the [ANSI X9.63][ansix963] standard serialization of the shared point.
+    ///
+    /// Further more this function is compatible with CryptoKit, since it returns a CryptoKit
+    /// `SharedSecret` struct, thus offering you to use all of CryptoKit's Key Derivation Functions
+    /// (`KDF`s), which can be called on the `SharedSecret`.
+    ///
+    /// As seen on [StackExchange][cryptostackexchange], this version is compatible with the following
+    /// libraries:
+    /// - JS: `elliptic` (v6.4.0 in nodeJS v8.2.1)
+    /// - JS: `crypto` (builtin) - uses openssl under the hood (in nodeJS v8.2.1)
+    /// - .NET: `BouncyCastle` (BC v1.8.1.3, .NET v2.1.4)
+    ///
+    /// [ansix963]: https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
+    /// [cryptostackexchange]: https://crypto.stackexchange.com/a/57727
+    public func sharedSecretFromKeyAgreement(
+        with publicKeyShare: K1.PublicKey
+    ) throws -> SharedSecret {
+        let sharedSecretData =  try _ecdh(publicKey: publicKeyShare, serializeOutputFunction: .ansiX963)
+        let __sharedSecret = __SharedSecret(ss: .init(bytes: sharedSecretData))
+        let sharedSecret = unsafeBitCast(__sharedSecret, to: SharedSecret.self)
+        guard sharedSecret.withUnsafeBytes({ Data($0).count == sharedSecretData.count }) else {
+            throw K1.Error.failedToProduceSharedSecret
+        }
+        return sharedSecret
+    }
+    
+    /// Computes a shared secret with the provided public key from another party,
+    /// using `libsecp256k1` default behaviour, returning a hashed of the compressed point.
+    ///
+    /// This is one of three ECDH functions, this library vendors, all three versions
+    /// uses different serialization of the shared EC Point, specifically:
+    /// 1. SHA-256 hash the compressed point <- this function
+    /// 2. No hash, return point uncompressed
+    /// 3. No hash, return only the `X` coordinate of the point.
+    ///
+    /// This function uses 1. i.e.SHA-256 hash the compressed point.
+    /// This is using the [default behaviour of `libsecp256k1`][libsecp256k1], which does not adhere to any
+    /// other standard.
+    ///
+    /// As seen on [StackExchange][cryptostackexchange], this version is compatible with all
+    /// libraries which wraps `libsecp256k1`, e.g.:
+    /// - Python wrapper: secp256k1 (v0.13.2, for python 3.6.4)
+    /// - JS wrapper: secp256k1 (v3.5.0, for nodeJS v8.2.1)
+    ///
+    /// [libsecp256k1]: https://github.com/bitcoin-core/secp256k1/blob/master/src/modules/ecdh/main_impl.h#L27
+    /// [cryptostackexchange]: https://crypto.stackexchange.com/a/57727
+    ///
+    public func ecdh(with publicKey: K1.PublicKey) throws -> Data {
+        try _ecdh(publicKey: publicKey, serializeOutputFunction: .libsecp256kDefault)
+    }
+    
+    /// Computes a shared secret with the provided public key from another party,
+    /// returning an uncompressed public point, unhashed.
+    ///
+    /// This is one of three ECDH functions, this library vendors, all three versions
+    /// uses different serialization of the shared EC Point, specifically:
+    /// 1. SHA-256 hash the compressed point
+    /// 2. No hash, return point uncompressed <- this function
+    /// 3. No hash, return only the `X` coordinate of the point.
+    ///
+    /// This function uses 2. i.e. no hash, return point uncompressed
+    /// **This is not following any standard at all**, but might be useful if you want to write your
+    /// cryptographic functions, e.g. some ECIES scheme.
+    ///
+    public func ecdhPoint(with publicKey: K1.PublicKey) throws -> Data {
+        try _ecdh(publicKey: publicKey, serializeOutputFunction: .noHashWholePoint)
+    }
+}
+
+// MUST match https://github.com/apple/swift-crypto/blob/main/Sources/Crypto/Key%20Agreement/DH.swift#L34
+
+/// A Key Agreement Result
+/// A SharedSecret has to go through a Key Derivation Function before being able to use by a symmetric key operation.
+public struct __SharedSecret {
+    var ss: SecureBytes
 }

Sources/secp256k1/src/ecdh_no_hashfp.c

@@ -1,5 +1,5 @@
 //
-//  ecdh_no_hashfp.c.c
+//  ecdh_no_hashfp.c
 //  
 //
 //  Created by Alexander Cyon on 2022-01-31.
@@ -16,3 +16,9 @@ int ecdh_skip_hash_extract_x_and_y(unsigned char *output, const unsigned char *x
     memcpy(output + 33, y32, 32);
     return 1;
 }
+
+int ecdh_skip_hash_extract_only_x(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {
+    (void)data;
+    memcpy(output, x32, 32);
+    return 1;
+}

Sources/secp256k1/src/ecdh_no_hashfp.h

@@ -12,4 +12,10 @@
 
 int ecdh_skip_hash_extract_x_and_y(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data);
 
+
+int ecdh_skip_hash_extract_only_x(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data);
+
+
+
+
 #endif /* ecdh_no_hashfp_h */

Tests/K1Tests/TestCases/ECDH/ECDHTests.swift

@@ -6,18 +6,54 @@
 //
 
 import Foundation
-import K1
+@testable import K1
 import XCTest
 
 final class ECDHTests: XCTestCase {
 
-    func testECDH() throws {
+    func testECDHPoint() throws {
         let alice = try K1.PrivateKey.generateNew()
         let bob = try K1.PrivateKey.generateNew()
 
-        let ab = try alice.sharedSecret(with: bob.publicKey)
-        let ba = try bob.sharedSecret(with: alice.publicKey)
+        let ab = try alice.ecdhPoint(with: bob.publicKey)
+        let ba = try bob.ecdhPoint(with: alice.publicKey)
         XCTAssertEqual(ab, ba, "Alice and Bob should be able to agree on the same secret")
     }
+    
+    func testECDHLibsecp256k1() throws {
+        let alice = try K1.PrivateKey.generateNew()
+        let bob = try K1.PrivateKey.generateNew()
+        
+        let ab = try alice.ecdh(with: bob.publicKey)
+        let ba = try bob.ecdh(with: alice.publicKey)
+        XCTAssertEqual(ab, ba, "Alice and Bob should be able to agree on the same secret")
+    }
+    
+    func testECDHX963() throws {
+        let alice = try K1.PrivateKey.generateNew()
+        let bob = try K1.PrivateKey.generateNew()
+        
+        let ab = try alice.sharedSecretFromKeyAgreement(with: bob.publicKey)
+        let ba = try bob.sharedSecretFromKeyAgreement(with: alice.publicKey)
+        XCTAssertEqual(ab, ba, "Alice and Bob should be able to agree on the same secret")
+    }
+    
+    /// Test vectors from: https://crypto.stackexchange.com/q/57695
+    func test_crypto_stackexchange_vector() throws {
+        let privateKey1 = try PrivateKey(hex: "82fc9947e878fc7ed01c6c310688603f0a41c8e8704e5b990e8388343b0fd465")
+        let privateKey2 = try PrivateKey(hex: "5f706787ac72c1080275c1f398640fb07e9da0b124ae9734b28b8d0f01eda586")
+        
+        let libsecp256k1 = try privateKey1.ecdh(with: privateKey2.publicKey)
+        let ans1X963 = try privateKey1.sharedSecretFromKeyAgreement(with: privateKey2.publicKey).withUnsafeBytes({ Data($0) })
+        
+        XCTAssertEqual(libsecp256k1.hex, "5935d0476af9df2998efb60383adf2ff23bc928322cfbb738fca88e49d557d7e")
+        XCTAssertEqual(ans1X963.hex, "3a17fe5fa33c4f2c7e61799a65061214913f39bfcbee178ab351493d5ee17b2f")
+        
+    }
 }
 
+extension K1.PrivateKey {
+    init(hex: String) throws {
+        self = try Self.import(rawRepresentation: Data(hex: hex))
+    }
+}

Tests/K1Tests/TestCases/ECDH/ECDHWychoproofTests.swift

@@ -78,10 +78,13 @@ private extension ECDHWychoproofTests {
                 var privateBytes = [UInt8]()
                 privateBytes = try padKeyIfNecessary(vector: testVector.privateKey)
                 let privateKey = try PrivateKey.import(rawRepresentation: privateBytes)
-                let expectedXComponent = try Data(hex: testVector.shared)
-                let sharedPublicKeyPoint = try privateKey.sharedSecret(with: publicKey)
-                let sharedPublicKeyXComponent = Data(sharedPublicKeyPoint[1..<33]) // slice out just X component
-                XCTAssertEqual(sharedPublicKeyXComponent, expectedXComponent, file: file, line: line)
+                
+                /// ANS1 X9.63 serialization of shared secret, returning a `CryptoKit.SharedSecret`
+                let sharedPublicKeyPoint = try privateKey.sharedSecretFromKeyAgreement(with: publicKey)
+                let got = sharedPublicKeyPoint.withUnsafeBytes {
+                    Data($0)
+                }
+                XCTAssertEqual(got.hex, testVector.shared, file: file, line: line)
             } catch {
                 if testVector.result != "invalid" {
                     XCTFail("Failed with error: \(String(describing: error)), test vector: \(String(describing: testVector))")

Tests/K1Tests/TestCases/ECDSA/ECDSASignatureTrezorTests.swift

@@ -49,7 +49,7 @@ private extension XCTestCase {
             XCTAssertEqual(signatureFromMessage, expectedSignature)
             try XCTAssertEqual(signatureRecoverableFromMessage.nonRecoverable(), expectedSignature)
             let recid = try signatureRecoverableFromMessage.compact().recoveryID
-            XCTAssertEqual(signatureRecoverableFromMessage.rawRepresentation.hex, expectedSignature.rawRepresentation.hex + "\(Data([UInt8(recid)]).hex)x")
+            XCTAssertEqual(signatureRecoverableFromMessage.rawRepresentation.hex, expectedSignature.rawRepresentation.hex + "\(Data([UInt8(recid)]).hex)")
             numberOfTestsRun += 1
         }
         return .init(numberOfTestsRun: numberOfTestsRun, idsOmittedTests: [])