Interface BDHKeyAgreement
BDHKeyAgreement is a preview API of the Java Card platform.
BDHKeyAgreement interface can be used for KeyAgreement instances supporting
Elliptic Curve Blinded Diffie-Hellman Key Exchange protocol as defined in
EMV Contactless Specifications for Payment Systems - Book E Security and Key Management - Version 1.1 Feb 2025.
A KeyAgreement instance implementing the BDHKeyAgreement interface can be created by
the KeyAgreement.getInstance(byte, boolean)
method using the KeyAgreement.ALG_EC_BDH_SECP256R1PREVIEW algorithm constant.
The returned KeyAgreement instance should then be cast into BDHKeyAgreement
to generate the blinding factor, the blinded public key and the shared secret.
- Since:
- preview
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionshortgenerateSecret(byte[] publicData, short publicOffset, short publicLength, byte[] secret, short secretOffset, byte[] blindedPublicKey, short blindedPublicKeyOffset, byte[] blindingFactor, short blindingFactorOffset) Generates the shared secret data and the blinded public key as per the Blinded Diffie-Hellman key exchange protocol, using thePrivateKeyspecified during initialization and the provided public key data.
-
Method Details
-
generateSecret
short generateSecret(byte[] publicData, short publicOffset, short publicLength, byte[] secret, short secretOffset, byte[] blindedPublicKey, short blindedPublicKeyOffset, byte[] blindingFactor, short blindingFactorOffset) Generates the shared secret data and the blinded public key as per the Blinded Diffie-Hellman key exchange protocol, using thePrivateKeyspecified during initialization and the provided public key data.The shared secret, referred to as
zin the EMV specification, is computed as follows:z = dC · r · QK
where:dCis the private key used for initialization,ris the generated blinding factor,QKis the public key from the second party.
The generated blinded public key is encoded using only its X-affine coordinate, represented as an unsigned, big-endian field element, zero-padded to the curve’s fixed field size. The length of the generated blinded public key is 32 bytes for secp256r1.
The length of the generated blinding factor is 32 bytes for secp256r1.
A call to this method resets the
KeyAgreementobject to its state set via a call toinit(PrivateKey), making the object available again for generating secret data.- Parameters:
publicData- buffer holding the public key data of the second party, encoded as the concatenation ofXandY, whereXandYare the affine coordinates of the elliptic curve point, each represented as an unsigned big-endian field element, zero-padded to the curve’s fixed field size. The total length is therefore 64 bytes for secp256r1 (32 bytes per coordinate).publicOffset- offset into thepublicDatabuffer where the data beginspublicLength- byte length of the public datasecret- buffer to hold the secret outputsecretOffset- offset into thesecretarray where to start writing the secretblindedPublicKey- buffer to hold the blinded public key outputblindedPublicKeyOffset- offset into theblindedPublicKeyarray where to start writing the blinded public keyblindingFactor- buffer to hold the generated blinding factor. The length of the generated blinding factor is 32 bytes for secp256r1.blindingFactorOffset- offset into theblindingFactorbuffer where the data begins- Returns:
- byte length of the secret
- Throws:
CryptoException- with the following reason codes:CryptoException.UNINITIALIZED_KEYif thePrivateKeyspecified inKeyAgreement.init(PrivateKey)is not initialized.CryptoException.ILLEGAL_VALUE- if the
publicDatadata format or length is incorrect, - or if the
publicDatadata is inconsistent with the key specified inKeyAgreement.init(PrivateKey).
- if the
CryptoException.INVALID_INITif thisKeyAgreementobject is not initialized.
-
BDHKeyAgreementwhen preview features are enabled.