Got incorrect shared key length

[parviz-mv]

Hi! I have tested ECDH with P-256, P-384, and P-521 curves in Golang, Node.js, and the noble/curves library. First, I generate a key pair and then retrieve the shared key. For all curves, I obtain a shared key that is more than 1 byte. For example, for the P-256 curve, I get a shared key with 33 bytes instead of 32. In Golang and Node.js, I receive 32 bytes, but with the noble/curves library, I get 33 bytes. So, why is there such a discrepancy?

[paulmillr]

1. There is no popular ECDH standard. Everyone does it in a different way. Some implementations do a hash or kdf on the output, which is proper and more secure. We don't do hashing to leave flexibility to users.
2. 33-byte output is the same as what you're getting from getPublicKey. It's a real compressed point.
3. 32-byte output is the same thing, but without first byte. So, you can do .subarray(1).
4. If we were to change into 32 bytes, you would not be able to initialize a Point from it using Point.fromHex, because the first (parity) byte is ambiguous and could mean 2 different points.

I think our implementation is proper. It's flexible. Maybe a bit more docs would be nice.

[paulmillr]

Improved in 9b7889e

[parviz-mv]

@paulmillr I got it! Thanks!