aztec-nr - noir_aztec::oracle::shared_secret

Function get_shared_secret

pub unconstrained fn get_shared_secret(
    address: AztecAddress,
    ephPk: EmbeddedCurvePoint,
    contract_address: AztecAddress,
) -> Field

Returns an app-siloed shared secret between address and someone who knows the secret key behind an ephemeral public key ephPk.

The returned value is a Field s_app, computed as:

S     = address_secret * ephPk          (raw ECDH point)
s_app = h(DOM_SEP, S.x, S.y, contract)  (app-siloed scalar)

where contract is the address of the calling contract. The oracle host validates this matches its execution context.

Without app-siloing, a malicious contract could call this oracle with public information (address, ephPk) and obtain the same raw secret as the legitimate contract, enabling cross-contract decryption. By including the contract address in the hash, each contract receives a different s_app, preventing this attack.

Callers derive indexed subkeys from s_app via derive_shared_secret_subkey.