dcrypt_algorithms/ec/k256/
mod.rs

1//! Koblitz secp256k1 Elliptic Curve Primitives
2//!
3//! This module implements the secp256k1 elliptic curve operations in constant time.
4//! The curve equation is y² = x³ + 7 over the prime field F_p where:
5//! - p = 2^256 - 2^32 - 977
6//! - The curve order n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
7//!
8//! All operations are implemented to be constant-time to prevent timing attacks.
9
10mod constants;
11mod field;
12mod point;
13mod scalar;
14
15pub use constants::{
16    K256_FIELD_ELEMENT_SIZE, K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE, K256_POINT_COMPRESSED_SIZE,
17    K256_POINT_UNCOMPRESSED_SIZE, K256_SCALAR_SIZE,
18};
19pub use field::FieldElement;
20pub use point::{Point, PointFormat};
21pub use scalar::Scalar;
22
23use crate::error::{Error, Result};
24use crate::hash::sha2::Sha256;
25use crate::kdf::hkdf::Hkdf;
26use crate::kdf::KeyDerivationFunction as KdfTrait;
27use rand::{CryptoRng, RngCore};
28
29/// SECP256K1 curve parameters (base point G)
30struct Secp256k1Params {
31    g_x: [u8; 32],
32    g_y: [u8; 32],
33}
34
35const SECP256K1: Secp256k1Params = Secp256k1Params {
36    g_x: [
37        0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
38        0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8,
39        0x17, 0x98,
40    ],
41    g_y: [
42        0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
43        0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10,
44        0xD4, 0xB8,
45    ],
46};
47
48/// Get the standard base point G of the secp256k1 curve
49pub fn base_point_g() -> Point {
50    Point::new_uncompressed(&SECP256K1.g_x, &SECP256K1.g_y)
51        .expect("Standard base point must be valid")
52}
53
54/// Scalar multiplication with the base point: scalar * G
55pub fn scalar_mult_base_g(scalar: &Scalar) -> Result<Point> {
56    let g = base_point_g();
57    g.mul(scalar)
58}
59
60/// Generate a cryptographically secure ECDH keypair
61pub fn generate_keypair<R: CryptoRng + RngCore>(rng: &mut R) -> Result<(Scalar, Point)> {
62    let mut scalar_bytes = [0u8; K256_SCALAR_SIZE];
63    loop {
64        rng.fill_bytes(&mut scalar_bytes);
65        match Scalar::new(scalar_bytes) {
66            Ok(private_key) => {
67                let public_key = scalar_mult_base_g(&private_key)?;
68                return Ok((private_key, public_key));
69            }
70            Err(_) => continue,
71        }
72    }
73}
74
75/// General scalar multiplication: compute scalar * point
76pub fn scalar_mult(scalar: &Scalar, point: &Point) -> Result<Point> {
77    if point.is_identity() {
78        return Ok(Point::identity());
79    }
80    point.mul(scalar)
81}
82
83/// Key derivation function for ECDH shared secret using HKDF-SHA256
84pub fn kdf_hkdf_sha256_for_ecdh_kem(
85    ikm: &[u8],
86    info: Option<&[u8]>,
87) -> Result<[u8; K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE]> {
88    let hkdf_instance = <Hkdf<Sha256, 16> as KdfTrait>::new();
89
90    let derived_key_vec =
91        hkdf_instance.derive_key(ikm, None, info, K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE)?;
92
93    let mut output_array = [0u8; K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE];
94    if derived_key_vec.len() == K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE {
95        output_array.copy_from_slice(&derived_key_vec);
96        Ok(output_array)
97    } else {
98        Err(Error::Length {
99            context: "KDF output for ECDH K256",
100            expected: K256_KEM_SHARED_SECRET_KDF_OUTPUT_SIZE,
101            actual: derived_key_vec.len(),
102        })
103    }
104}
105
106#[cfg(test)]
107mod tests;