bitcoin-core · peterdettman · May 14, 2015 · May 13, 2015 · Jun 29, 2015 · May 15, 2015
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 bench_inv
+bench_ecdh
+bench_ecdh_xo
 bench_sign
 bench_verify
 bench_recover

diff --git a/Makefile.am b/Makefile.am
@@ -13,6 +13,8 @@ noinst_HEADERS += src/group.h
 noinst_HEADERS += src/group_impl.h
 noinst_HEADERS += src/num_gmp.h
 noinst_HEADERS += src/num_gmp_impl.h
+noinst_HEADERS += src/ecdh.h
+noinst_HEADERS += src/ecdh_impl.h
 noinst_HEADERS += src/ecdsa.h
 noinst_HEADERS += src/ecdsa_impl.h
 noinst_HEADERS += src/eckey.h
@@ -49,7 +51,7 @@ libsecp256k1_la_LIBADD = $(SECP_LIBS)
 
 noinst_PROGRAMS =
 if USE_BENCHMARK
-noinst_PROGRAMS += bench_verify bench_recover bench_sign bench_internal
+noinst_PROGRAMS += bench_verify bench_recover bench_sign bench_internal bench_ecdh bench_ecdh_xo
 bench_verify_SOURCES = src/bench_verify.c
 bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS)
 bench_verify_LDFLAGS = -static
@@ -63,6 +65,14 @@ bench_internal_SOURCES = src/bench_internal.c
 bench_internal_LDADD = $(SECP_LIBS)
 bench_internal_LDFLAGS = -static
 bench_internal_CPPFLAGS = $(SECP_INCLUDES)
+bench_ecdh_SOURCES = src/bench_ecdh.c
+bench_ecdh_LDADD = libsecp256k1.la $(SECP_LIBS)
+bench_ecdh_LDFLAGS = -static
+bench_ecdh_CPPFLAGS = $(SECP_INCLUDES)
+bench_ecdh_xo_SOURCES = src/bench_ecdh_xo.c
+bench_ecdh_xo_LDADD = libsecp256k1.la $(SECP_LIBS)
+bench_ecdh_xo_LDFLAGS = -static
+bench_ecdh_xo_CPPFLAGS = $(SECP_INCLUDES)
 endif
 
 if USE_TESTS

diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -217,6 +217,30 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover_compact(
   int recid
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
+/** Compute an EC Diffie-Hellman secret in constant time
+ *  Returns: 1: exponentiation was successful
+ *          -1: scalar was zero
+ *          -2: scalar overflow
+ *          -3: invalid input point
+ *  In:      scalar:   a 32-byte scalar with which to multiply the point
+ *           point:    pointer to 33 or 65 byte array containing an EC point
+ *           pointlen: length of the point array
+ *  Out:     result:   a 32-byte array which will be populated by an ECDH
+ *                     secret computed from the point and scalar
+ */
+SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
+  unsigned char *result,
+  unsigned char *point,
+  int *pointlen,
+  const unsigned char *scalar
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh_xo(
+  unsigned char *result,
+  const unsigned char *x,
+  const unsigned char *scalar
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
 /** Verify an ECDSA secret key.
  *  Returns: 1: secret key is valid
  *           0: secret key is invalid

diff --git a/src/bench_ecdh.c b/src/bench_ecdh.c
@@ -0,0 +1,50 @@
+/**********************************************************************
+ * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra                  *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#include <string.h>
+
+#include "include/secp256k1.h"
+#include "util.h"
+#include "bench.h"
+
+typedef struct {
+    unsigned char point[33];
+    int pointlen;
+    unsigned char scalar[32];
+} bench_multiply_t;
+
+static void bench_multiply_setup(void* arg) {
+    int i;
+    bench_multiply_t *data = (bench_multiply_t*)arg;
+    const unsigned char point[] = {
+        0x03,
+        0x54, 0x94, 0xc1, 0x5d, 0x32, 0x09, 0x97, 0x06,
+        0xc2, 0x39, 0x5f, 0x94, 0x34, 0x87, 0x45, 0xfd,
+        0x75, 0x7c, 0xe3, 0x0e, 0x4e, 0x8c, 0x90, 0xfb,
+        0xa2, 0xba, 0xd1, 0x84, 0xf8, 0x83, 0xc6, 0x9f
+    };
+
+    for (i = 0; i < 32; i++) data->scalar[i] = i + 1;
+    data->pointlen = sizeof(point);
+    memcpy(data->point, point, data->pointlen);
+}
+
+static void bench_multiply(void* arg) {
+    int i;
+    unsigned char res[32];
+    bench_multiply_t *data = (bench_multiply_t*)arg;
+
+    for (i = 0; i < 20000; i++) {
+        CHECK(secp256k1_ecdh(res, data->point, &data->pointlen, data->scalar) == 1);
+    }
+}
+
+int main(void) {
+    bench_multiply_t data;
+
+    run_benchmark("ecdh_mult", bench_multiply, bench_multiply_setup, NULL, &data, 10, 20000);
+    return 0;
+}
diff --git a/src/bench_ecdh_xo.c b/src/bench_ecdh_xo.c
@@ -0,0 +1,50 @@
+/**********************************************************************
+ * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra                  *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#include <string.h>
+
+#include "include/secp256k1.h"
+#include "util.h"
+#include "bench.h"
+
+typedef struct {
+    unsigned char point[33];
+    int pointlen;
+    unsigned char scalar[32];
+} bench_multiply_t;
+
+static void bench_multiply_setup(void* arg) {
+    int i;
+    bench_multiply_t *data = (bench_multiply_t*)arg;
+    const unsigned char point[] = {
+        0x03,
+        0x54, 0x94, 0xc1, 0x5d, 0x32, 0x09, 0x97, 0x06,
+        0xc2, 0x39, 0x5f, 0x94, 0x34, 0x87, 0x45, 0xfd,
+        0x75, 0x7c, 0xe3, 0x0e, 0x4e, 0x8c, 0x90, 0xfb,
+        0xa2, 0xba, 0xd1, 0x84, 0xf8, 0x83, 0xc6, 0x9f
+    };
+
+    for (i = 0; i < 32; i++) data->scalar[i] = i + 1;
+    data->pointlen = sizeof(point);
+    memcpy(data->point, point, data->pointlen);
+}
+
+static void bench_multiply(void* arg) {
+    int i;
+    unsigned char res[32];
+    bench_multiply_t *data = (bench_multiply_t*)arg;
+
+    for (i = 0; i < 20000; i++) {
+        CHECK(secp256k1_ecdh_xo(res, data->point+1, data->scalar) == 1);
+    }
+}
+
+int main(void) {
+    bench_multiply_t data;
+
+    run_benchmark("ecdh_mult_xo", bench_multiply, bench_multiply_setup, NULL, &data, 10, 20000);
+    return 0;
+}
diff --git a/src/bench_internal.c b/src/bench_internal.c
@@ -13,6 +13,7 @@
 #include "field_impl.h"
 #include "group_impl.h"
 #include "scalar_impl.h"
+#include "ecdh_impl.h"
 #include "ecmult_impl.h"
 #include "bench.h"
 
@@ -96,7 +97,7 @@ void bench_scalar_split(void* arg) {
 
     for (i = 0; i < 20000; i++) {
         secp256k1_scalar_t l, r;
-        secp256k1_scalar_split_lambda_var(&l, &r, &data->scalar_x);
+        secp256k1_scalar_split_lambda(&l, &r, &data->scalar_x);
         secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
     }
 }
@@ -234,6 +235,16 @@ void bench_ecmult_wnaf(void* arg) {
     }
 }
 
+void bench_ecdh_wnaf(void* arg) {
+    int i;
+    bench_inv_t *data = (bench_inv_t*)arg;
+
+    for (i = 0; i < 20000; i++) {
+        secp256k1_ecdh_wnaf(data->wnaf, data->scalar_x, WINDOW_A);
+        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    }
+}
+
 
 void bench_sha256(void* arg) {
     int i;
@@ -309,6 +320,7 @@ int main(int argc, char **argv) {
     if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, 200000);
     if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, 200000);
 
+    if (have_flag(argc, argv, "ecdh") || have_flag(argc, argv, "wnaf")) run_benchmark("ecdh_wnaf", bench_ecdh_wnaf, bench_setup, NULL, &data, 10, 20000);
     if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, 20000);
 
     if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, 20000);

diff --git a/src/ecdh.h b/src/ecdh.h
@@ -0,0 +1,15 @@
+/**********************************************************************
+ * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra                  *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_ECDH_
+#define _SECP256K1_ECDH_
+
+#include "scalar.h"
+#include "group.h"
+
+static void secp256k1_point_multiply(secp256k1_gej_t *r, const secp256k1_ge_t *a, const secp256k1_scalar_t *q);
+
+#endif