1CRYPTO_KEY_EXCHANGE(3MONOCYPHER)     LOCAL    CRYPTO_KEY_EXCHANGE(3MONOCYPHER)
2

NAME

4     crypto_key_exchange, crypto_key_exchange_public_key — Elliptic Curve
5     Diffie-Hellman key exchange
6

SYNOPSIS

8     #include <monocypher.h>
9
10     void
11     crypto_key_exchange(uint8_t shared_key[32],
12         const uint8_t your_secret_key[32],
13         const uint8_t their_public_key[32]);
14
15     void
16     crypto_key_exchange_public_key(uint8_t your_public_key[32],
17         const uint8_t your_secret_key[32]);
18

DESCRIPTION

20     crypto_key_exchange() computes a shared key with your secret key and
21     their public key.
22
23     crypto_key_exchange_public_key() deterministically computes the public
24     key from a random secret key.
25
26     The arguments are:
27
28     shared_key
29             The shared secret, known only to those who know a relevant secret
30             key (yours or theirs).  It is cryptographically random, and suit‐
31             able for use with the crypto_lock(3monocypher) family of func‐
32             tions.
33
34     your_secret_key
35             A 32-byte random number, known only to you.  See
36             intro(3monocypher) for advice about generating random bytes (use
37             the operating system's random number generator).
38
39     their_public_key
40             The public key of the other party.
41
42     your_public_key
43             Your public key, generated from your_secret_key with
44             crypto_key_exchange_public_key().
45
46     shared_key and your_secret_key may overlap if the secret is no longer re‐
47     quired.
48
49     Some poorly designed protocols require to test for “contributory” behav‐
50     iour, which ensures that no untrusted party forces the shared secret to a
51     known constant.  Protocols should instead be designed in such a way that
52     no such check is necessary, namely by authenticating the other party or
53     exchanging keys over a trusted channel.
54
55     Do not use the same secret key for both key exchanges and signatures.
56     The public keys are different, and revealing both may leak information.
57     If there really is no room to store or derive two different secret keys,
58     consider generating a key pair for signatures and then converting it with
59     crypto_from_eddsa_private(3monocypher) and
60     crypto_from_eddsa_public(3monocypher).
61

RETURN VALUES

63     crypto_key_exchange() and crypto_key_exchange_public_key() return noth‐
64     ing.
65

EXAMPLES

67     The following examples assume the existence of arc4random_buf(), which
68     fills the given buffer with cryptographically secure random bytes.  If
69     arc4random_buf() does not exist on your system, see intro(3monocypher)
70     for advice about how to generate cryptographically secure random bytes.
71
72     Generate a public key from a randomly generated secret key:
73
74           uint8_t sk[32]; /* Random secret key */
75           uint8_t pk[32]; /* Public key        */
76           arc4random_buf(sk, 32);
77           crypto_key_exchange_public_key(pk, sk);
78           /* Wipe secrets if they are no longer needed */
79           crypto_wipe(sk, 32);
80
81     Generate a shared, symmetric key with your secret key and their public
82     key.  (The other party will generate the same shared key with your public
83     key and their secret key.)
84
85           const uint8_t their_pk  [32]; /* Their public key   */
86           uint8_t       your_sk   [32]; /* Your secret key    */
87           uint8_t       shared_key[32]; /* Shared session key */
88           crypto_key_exchange(shared_key, your_sk, their_pk);
89           /* Wipe secrets if they are no longer needed */
90           crypto_wipe(your_sk, 32);
91

SEE ALSO

93     crypto_lock(3monocypher), intro(3monocypher)
94

STANDARDS

96     These functions implement X25519, described in RFC 7748.
97     crypto_key_exchange() uses HChacha20 as well.
98

HISTORY

100     The crypto_key_exchange() function first appeared in Monocypher 0.2.  The
101     crypto_key_exchange_public_key() macro alias first appeared in Monocypher
102     1.1.0.
103

SECURITY CONSIDERATIONS

105     If either of the long term secret keys leaks, it may compromise all past
106     messages.  This can be avoided by using protocols that provide forward
107     secrecy, such as the X3DH key agreement protocol.
108

IMPLEMENTATION DETAILS

110     crypto_key_exchange_public_key() is an alias to
111     crypto_x25519_public_key(3monocypher).
112
113BSD                             March 31, 2020                             BSD
Impressum