Generating ECC shared-secret

Paul Wolneykien manowar at
Thu Sep 12 22:24:30 CEST 2019

12.09.2019 21:18, Tyler Jowers via Gnupg-devel пишет:
> Good Thursday,
> I'm stuck figuring out how an ECC shared-secret should be generated
> with Libgcrypt.
> So far as I'm aware, the goal, after generating a public key with a
> random number, is to replace the generator point G with the other
> party's public key and use the local private key again to generate the
> shared secret.
> So I get the other party's q-point, then I (by some mechanism) convert
> the q-point to an mpi-point? I tried gcry_sexp_build(.. "(genkey (ecc
> (curve "NIST P-192") (g %S) (d %M)))",
> gcry_sexp_cdr(gcry_sexp_find_token(other_party_keydata, "q", 1)),
> u8_ptr_localprivatekey_as_mpi); And a few variations of that, and I
> don't get any error, but I get a duplicate public-key returned that
> matches verbatim the private-key.
> I need to know how the API wants me to generate a shared secret. If
> the way I was doing it is the right direction, how do I properly
> convert the q-point into a valid g-point?


  cipher/ecc.c: ecc_encrypt_raw() do all that for you. The other part is
in GnuPG: g10/pkglue.c: pk_encrypt(). It works as follows: you generate
an ephemeral private key — a scalar, — and after ecc_encrypt_raw() you
get a) the shared point; b) the ephemeral public key (that corresponds
to the ephemeral private key you've passed to ecc_encrypt_raw()). The
way you get your shared secret — a scalar, suitable for symmetric
encryption — from shared point depends on the key agreement algorithm.
One example is the ECDH, implemented in g10/ecdh.c. Another one is GOST
VKO I'm working on. In general, you should to reduce, i.e. to hash the
shared point data some way.

More information about the Gnupg-devel mailing list