ECDH result not matching

[hugomendiondo]

Hi,
I´m adding this library to an embedded C existing system which was previously implemented using mbedTLS crypto.
I got all features working except the ecdh shared secret which is giving me different results from the one computed using mbedTLS.
I wonder if I am missing some format conversion, or if I am using it in a wrong way.
Below I copy some outputs from my test code. Any help will be appreciated

Secret Key1: 0x5d0f213d48268661cda5e83eb836b866edfaf2603874c623aff93703314c0c6c
Compressed Pubkey1: 0x02c0f1363bf867abfccdc2f685be279163c31a89ad40bfb23463b0a8f246cc025e

Secret Key2: 0xd9abbbf215909e5c14ea41e4ee64a6a34c40c6d6211c50b50ab5b88c512f3762
Compressed Pubkey2: 0x024bab0726bff6328ebad13db2e33253829cb9803c68bfcf64b7c3f26fa706b5f2

Shared Secret1: 0x2c368d0b063161c5c26fadc91fd97adaab7791b3d9bd20530f4616c01419deab

Shared Secret2: 0x2c368d0b063161c5c26fadc91fd97adaab7791b3d9bd20530f4616c01419deab


MBEDTLS inPublicKey->bytes: 0x024bab0726bff6328ebad13db2e33253829cb9803c68bfcf64b7c3f26fa706b5f2
MBEDTLS uncompressedPublicKey->bytes: 0x044bab0726bff6328ebad13db2e33253829cb9803c68bfcf64b7c3f26fa706b5f2e197da706a858ff0a519a0ca0e1287a821615e10dc7a831b843cbd1fc57a625c
MBEDTLS outSharedSecret->bytes: 0xb9165ba0cb130cdbc7b2959e6e46add4bd46cbeb297429217839d5fdfc151464

[sipa]

I don't know how MBEDTLS defines the shared secret computation, but there is no reason to assume it is in any way similar to what libsecp256k1 does.

[hugomendiondo]

Thanks for your fast response!
Ok, maybe I am missing something but, as I understand, using the same curve and the same keys the shared secret should match. Am I wrong?

[real-or-random]

The "raw" shared secret is just a curve point (P = PlainECDH(xG, yG) = xyG), and the computation of this match on the same curve and same keys. But a curve point does not look like a uniform random byte string (and having a value that does is preferable). That's why implementations hash this value and return the hash as an actual shared secret, i.e., they return H(P), and now the result depends on your choice of H and the encoding of P (e.g., compressed vs uncompressed).

I don't know what mbedTLS does the hashing (perhaps similar to what is done in TLS?). What libsecp256k1 returns by default is SHA256(compressed(P)). If you need a different way of computing the hash, you can pass a function pointer hashfp to secp256k1_ecdh. (You can also "abuse" this functionality, and pass the identity function that simply gives you P.) Please see the full documentation in https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1_ecdh.h.

[hugomendiondo]

Thank you very much!
FYI, I have found a way to make them match, and it was by passing a different hash function.

[real-or-random]

For my curiosity, and perhaps it helps future readers of this question: What's the function you needed to pass to achieve compatibility with mbedTLS? Can you post the code here?

[hugomendiondo]

Sure!
I´ve found it in the test code provided and only removed the header byte.
This is the function I am using and is working for me.

static int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) 
{
    (void)data;
    /* Save x and y as uncompressed public key */
    memcpy(output, x, 32);
    memcpy(output + 32, y, 32);
    return 1;
}

[sipa]

The shared MBEDTLS secret you pasted before was only 32 bytes, not 64?