add secp256k1_silentpayments_sender_create_outputs_with_proof

stratospher · stratospher · commit ad040d0ecc3b · 2025-02-11T12:31:26.000+05:30
- add new API which returns DLEQ proofs along with outputs for recipients
- the existing API secp256k1_silentpayments_sender_create_outputs simply
  calls secp256k1_silentpayments_sender_create_outputs_with_proof
  internally.
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -120,6 +120,36 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_c
     size_t n_plain_seckeys
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
 
+/** Create Silent Payment outputs and associated DLEQ proof(s) for recipient(s).
+ *
+ * Similar to secp256k1_silentpayments_sender_create_outputs,
+ * but also returns information about associated DLEQ proof.
+ *
+ *  Returns: 1 if creation of outputs was successful. 0 if an error occurred.
+ *  Args:                ctx: pointer to a context object
+ *  Out:   generated_outputs: pointer to an array of pointers to xonly pubkeys,
+ *                            one per recipient.
+ *                            The order of outputs here matches the original
+ *                            ordering of the recipients array.
+ *                dleq_data: pointer to an array of pointers to secp256k1_silentpayments_dleq_data,
+ *                            one per unique recipient.
+ *               n_dleq_size: number of DLEQ proofs generated (equivalent to number of unique recipients)
+ *  In: See input parameters in secp256k1_silentpayments_sender_create_outputs
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_create_outputs_with_proof(
+        const secp256k1_context *ctx,
+        secp256k1_xonly_pubkey **generated_outputs,
+        secp256k1_silentpayments_dleq_data **dleq_data,
+        size_t *n_dleq_size,
+        const secp256k1_silentpayments_recipient **recipients,
+        size_t n_recipients,
+        const unsigned char *outpoint_smallest36,
+        const secp256k1_keypair * const *taproot_seckeys,
+        size_t n_taproot_seckeys,
+        const unsigned char * const *plain_seckeys,
+        size_t n_plain_seckeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7);
+
 /** Create Silent Payment label tweak and label.
  *
  *  Given a recipient's scan key b_scan and a label integer m, calculate the
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -175,9 +175,11 @@ static int secp256k1_silentpayments_create_output_pubkey(const secp256k1_context
     return ret;
 }
 
-int secp256k1_silentpayments_sender_create_outputs(
+int secp256k1_silentpayments_sender_create_outputs_with_proof(
     const secp256k1_context *ctx,
     secp256k1_xonly_pubkey **generated_outputs,
+    secp256k1_silentpayments_dleq_data **dleq_data,
+    size_t *n_dleq_size,
     const secp256k1_silentpayments_recipient **recipients,
     size_t n_recipients,
     const unsigned char *outpoint_smallest36,
@@ -191,10 +193,14 @@ int secp256k1_silentpayments_sender_create_outputs(
     secp256k1_ge A_sum_ge;
     secp256k1_gej A_sum_gej;
     unsigned char input_hash[32];
-    unsigned char shared_secret[33];
+    secp256k1_ge shared_secret;
+    unsigned char shared_secret33[33];
+    unsigned char proof64[64];
     secp256k1_silentpayments_recipient last_recipient;
     int overflow = 0;
     int ret = 1;
+    int j = 0;
+    size_t len;
 
     /* Sanity check inputs. */
     VERIFY_CHECK(ctx != NULL);
@@ -264,13 +270,30 @@ int secp256k1_silentpayments_sender_create_outputs(
             secp256k1_ge pk;
             ret &= secp256k1_pubkey_load(ctx, &pk, &recipients[i]->scan_pubkey);
             if (!ret) break;
-            secp256k1_silentpayments_create_shared_secret(ctx, shared_secret, &a_sum_scalar, &pk);
+            /* Compute shared_secret = tweaked_secret_component * Public_component */
+            secp256k1_silentpayments_create_shared_secret_with_proof(ctx, proof64, &shared_secret, &a_sum_scalar, &pk);
+            if (dleq_data != NULL) {
+                secp256k1_pubkey pubkey;
+                size_t pklen = 33;
+                secp256k1_pubkey_save(&pubkey, &shared_secret);
+                secp256k1_ec_pubkey_serialize(ctx, dleq_data[j]->shared_secret, &pklen, &pubkey, SECP256K1_EC_COMPRESSED);
+                memcpy(dleq_data[j]->proof, proof64, 64);
+                dleq_data[j]->index = recipients[i]->index;
+            }
+            /* This can only fail if the shared secret is the point at infinity, which should be
+             * impossible at this point, considering we have already validated the public key and
+             * the secret key being used
+            */
+            ret = secp256k1_eckey_pubkey_serialize(&shared_secret, shared_secret33, &len, 1);
+            VERIFY_CHECK(ret && len == 33);
             k = 0;
+            j++;
         }
-        ret &= secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret, &recipients[i]->spend_pubkey, k);
+        ret &= secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret33, &recipients[i]->spend_pubkey, k);
         k++;
         last_recipient = *recipients[i];
     }
+    *n_dleq_size = j;
     /* Explicitly clear variables containing secret data */
     secp256k1_scalar_clear(&addend);
     secp256k1_scalar_clear(&a_sum_scalar);
@@ -279,10 +302,25 @@ int secp256k1_silentpayments_sender_create_outputs(
      * could result in a third party being able to identify the transaction as a silent payments transaction
      * and potentially link the transaction back to a silent payment address
      */
-    memset(&shared_secret, 0, sizeof(shared_secret));
+    memset(&shared_secret33, 0, sizeof(shared_secret33));
     return ret;
 }
 
+int secp256k1_silentpayments_sender_create_outputs(
+        const secp256k1_context *ctx,
+        secp256k1_xonly_pubkey **generated_outputs,
+        const secp256k1_silentpayments_recipient **recipients,
+        size_t n_recipients,
+        const unsigned char *outpoint_smallest36,
+        const secp256k1_keypair * const *taproot_seckeys,
+        size_t n_taproot_seckeys,
+        const unsigned char * const *plain_seckeys,
+        size_t n_plain_seckeys
+) {
+    size_t n_dleq_size;
+    return secp256k1_silentpayments_sender_create_outputs_with_proof(ctx, generated_outputs, NULL, &n_dleq_size, recipients, n_recipients, outpoint_smallest36, taproot_seckeys, n_taproot_seckeys, plain_seckeys, n_plain_seckeys);
+}
+
 /** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Label". */
 static void secp256k1_silentpayments_sha256_init_label(secp256k1_sha256* hash) {
     secp256k1_sha256_initialize(hash);
