Skip to content

ECDH result not matching #1444

Discussion options

You must be logged in to vote

The "raw" shared secret is just a curve point (P = PlainECDH(xG, yG) = xyG), and the computation of this match on the same curve and same keys. But a curve point does not look like a uniform random byte string (and having a value that does is preferable). That's why implementations hash this value and return the hash as an actual shared secret, i.e., they return H(P), and now the result depends on your choice of H and the encoding of P (e.g., compressed vs uncompressed).

I don't know what mbedTLS does the hashing (perhaps similar to what is done in TLS?). What libsecp256k1 returns by default is SHA256(compressed(P)). If you need a different way of computing the hash, you can pass a functi…

Replies: 1 comment 7 replies

Comment options

You must be logged in to vote
7 replies
@hugomendiondo
Comment options

@real-or-random
Comment options

Answer selected by real-or-random
@hugomendiondo
Comment options

@real-or-random
Comment options

@hugomendiondo
Comment options

@sipa
Comment options

sipa Nov 23, 2023
Maintainer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants