aztec-nr - noir_aztec::oracle::shared_secret

Function get_shared_secrets

pub unconstrained fn get_shared_secrets(
    address: AztecAddress,
    eph_pks: EphemeralArray<EmbeddedCurvePoint>,
    contract_address: AztecAddress,
) -> EphemeralArray<Field>

Returns app-siloed shared secrets between address and someone who knows the secret keys behind the given ephemeral public keys.

Each returned Field s_app is computed as:

S     = address_secret * ephPk          (raw ECDH point)
s_app = h(DOM_SEP, S.x, S.y, contract)  (app-siloed scalar)

where contract is the address of the calling contract. The oracle host validates this matches its execution context.

Without app-siloing, a malicious contract could call this oracle with public information (address, ephPk) and obtain the same raw secret as the legitimate contract, enabling cross-contract decryption. By including the contract address in the hash, each contract receives a different s_app, preventing this attack.

Callers derive indexed subkeys from s_app via derive_shared_secret_subkey.