Skip to main content

Module ecdh

arcana::ecc

Module ecdh 

Source
Expand description

Elliptic Curve Diffie-Hellman (ECDH) on short Weierstrass curves.

ECDH is exposed as a method on the Curve trait, alongside ECDSA sign / verify and keygen. The same seven unit structs cover all curve operations:

use arcana::ecc::curves::{Curve, P256};

let mut rng = OsRng;
let (alice_pk, alice_sk) = P256::keygen(&mut rng);
let (bob_pk,   bob_sk)   = P256::keygen(&mut rng);

let secret_a = P256::ecdh(&alice_sk, &bob_pk).expect("alice ecdh");
let secret_b = P256::ecdh(&bob_sk,   &alice_pk).expect("bob ecdh");
assert_eq!(secret_a, secret_b);

§Supported curves

All seven Curve implementors: P256, P384, P521, Secp256k1, BrainpoolP256r1, BrainpoolP384r1, BrainpoolP512r1.

§Output format

Curve::ecdh returns the raw X coordinate of the shared point, encoded as LIMBS * 8 big-endian bytes. This matches NIST SP 800-56A §5.7.1.2 (“ECC CDH Primitive”) and the TLS / IKE conventions. Higher-level KDFs (HKDF, X9.63 KDF, …) are out of scope for this layer.

§Public key validation (mandatory)

Before multiplying the secret scalar by a peer’s public key, ecdh validates that the peer’s point is actually on the curve. Skipping this check enables invalid-curve attacks that recover bits of the secret key one chosen point at a time, so it is non-negotiable here. See super::curve::is_on_curve. The same internal entry point is used by Curve::verify, so the validation rules cannot drift between ECDH and ECDSA verify.

Validation performed on every ecdh call:

  1. SEC1 uncompressed format: pk.bytes.len() == 1 + 2*LIMBS*8
  2. Format byte: pk.bytes[0] == 0x04
  3. Coordinates are field elements in [0, p) (implicit via decoding)
  4. Point satisfies y² = x³ + a·x + b mod p
  5. Resulting shared point is not the point at infinity (small-subgroup defence in depth)

§Test-only file

The actual implementation lives next to the other LIMBS-generic curve helpers in super::ecdsa (ecdh_internal<LIMBS>) and is dispatched through the Curve trait in super::curves. This file exists to host the ECDH-specific documentation and the integration tests for ECDH; there is no public API defined here.