pub fn x25519_ecdh(sk: &[u8; 32], peer_pk: &[u8; 32]) -> [u8; 32]Expand description
X25519 Diffie-Hellman: derive a shared secret from our secret key and the peer’s public key.
Returns the 32-byte u-coordinate of sk * peer_pk. This is the
raw shared secret (NIST SP 800-56A “Z”); pass it to an HKDF or
similar KDF before using it for symmetric keying.
§Small-subgroup attack note
RFC 7748 §6.1 warns that X25519 accepts certain “contributory”
public keys (points in small subgroups) that collapse the shared
secret to a fixed value. A defensive implementation may want to
reject the result if it is all-zero, which signals the peer sent
a low-order point. We deliberately do not reject here because
(a) the spec allows it, and (b) a downstream KDF with context
binding (TLS 1.3 transcript_hash, Noise HKDF, …) is the
standard mitigation. Callers who want the low-order check can
run it themselves:
let shared = x25519_ecdh(&sk, &peer_pk);
if shared.iter().all(|&b| b == 0) {
return Err("contributory shared secret");
}