Mentioned In
Overview
ECDH computes a shared secret S = private_key × peer_public_key on the secp256k1 elliptic curve. The upstream C function executes in constant time with respect to the secret scalar, matching its contract line: “Compute an EC Diffie-Hellman secret in constant time.” The shared secret is returned as a serialized point in compressed (33-byte, default) or uncompressed (65-byte) form via the custom hash closure installed in sharedSecretFromKeyAgreement(with:format:) — this overrides the upstream default (secp256k1_ecdh_hash_function_sha256, which would return a 32-byte SHA-256 hash of the compressed point) so callers receive the raw serialized EC point, suitable as input to any higher-level KDF.
Bitcoin-ecosystem consumers include BIP-324 v2 P2P transport (BIP-324), BIP-352 Silent Payments (BIP-352), and Lightning Network session-key derivation.
Important
Context randomization does not provide side-channel protection for ECDH. Per the upstream secp256k1_context_randomize documentation in Vendor/secp256k1/include/secp256k1.h: “A notable exception [to the rule that randomization protects secret-key operations] is the ECDH module, which relies on a different kind of elliptic curve point multiplication and thus does not benefit from enhanced protection against side-channel leakage currently.” Consumers needing hardened ECDH should perform it on an air-gapped device or with platform-specific mitigations.
Topics
Key Types