paulmillr
commented
8 months ago - There is NO standard for ECDH. 33-byte ECDH is acceptable. 32-byte ECDH is acceptable. Hashed ECDH is acceptable. Unhashed ECDH is acceptable. NIST uses one way. Bitcoin uses another way. Someone hashes result with sha256. Someone hashes with sha3.
- We do 33-byte because it's not possible to fully restore point from 32-byte hex. 33-byte hex has y-parity as first byte, meaning it's possible to restore full public key. If you need 32-byte, do
result.subarray(1) - We don't support ASN encoding. We barely support DER, just for encoding and decoding of signatures. The test vectors use ASN encoding for points, and since we don't support it, there is no way to test for them. If you would like to contribute ASN parsing for the tests, we can merge it.
- We extensively test point operations and do fuzzing, everything has been correct so far.
mirceanis
I'm trying to use this lib to do some P-256 key agreement and I seem to have stumbled upon a problem. The shared secret being generated is 33 bytes long for P256. This tells me that I'm getting the compressed form of the point. I looked at some test vectors I found in other places and saw that they are expecting 32 bytes (only the X coord). The fix for this would be easy.
BUT
Then I started looking at the test vectors being used here and at first glance everything seems to coincide with other public vectors, but upon running the tests I noticed that NONE of the relevant vectors are actually included in the tests for ECDH!
The "problem" seems to be this line where they are excluded based on encoding, but all the vectors are using the same encoding, so all get excluded.