Skip to content

Add BIP352 silentpayments module #1519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
+9,990 −12
Open

Add BIP352 silentpayments module #1519

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
8f69297
build: add skeleton for new silentpayments (BIP352) module
theStack Sep 27, 2023
eb2e695
silentpayments: sending
josibake Mar 25, 2024
3aaaa5a
silentpayments: recipient label support
theStack Jan 22, 2024
793a1a4
silentpayments: receiving
josibake Jun 29, 2024
36f818b
silentpayments: add examples/silentpayments.c
josibake Apr 15, 2024
bfa4e18
silentpayments: add benchmarks for scanning
josibake Apr 25, 2024
094fe7b
tests: add BIP-352 test vectors
josibake Jul 2, 2024
f9aa16e
tests: add constant time tests
josibake Nov 7, 2024
1719790
ci: enable silentpayments module
theStack Feb 22, 2024
324ba7d
docs: update README
josibake Jul 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions include/secp256k1_silentpayments.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,57 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_c
size_t n_plain_seckeys
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);

/** Create Silent Payment label tweak and label.
*
* Given a recipient's 32 byte scan key b_scan and a label integer m, calculate the
* corresponding label tweak and label:
*
* label_tweak = hash(b_scan || m)
* label = label_tweak * G
*
* Returns: 1 if label tweak and label creation was successful.
* 0 if an error occurred.
* Args: ctx: pointer to a context object
* Out: label: pointer to the resulting label public key
* label_tweak32: pointer to the 32 byte label tweak
* In: recipient_scan_key32: pointer to the recipient's 32 byte scan key
* m: label integer (0 is used for change outputs)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_recipient_create_label(
const secp256k1_context *ctx,
secp256k1_pubkey *label,
unsigned char *label_tweak32,
const unsigned char *recipient_scan_key32,
const uint32_t m
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Create Silent Payment labeled spend public key.
*
* Given a recipient's spend public key B_spend and a label, calculate the
* corresponding labeled spend public key:
*
* B_m = B_spend + label
*
* The result is used by the recipient to create a Silent Payment address,
* consisting of the serialized and concatenated scan public key and
* (labeled) spend public key each.
*
* Returns: 1 if labeled spend public key creation was successful.
* 0 if an error occurred.
* Args: ctx: pointer to a context object
* Out: labeled_spend_pubkey: pointer to the resulting labeled spend
* public key
* In: recipient_spend_pubkey: pointer to the recipient's spend pubkey
* label: pointer to the the recipient's label public
* key
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(
const secp256k1_context *ctx,
secp256k1_pubkey *labeled_spend_pubkey,
const secp256k1_pubkey *recipient_spend_pubkey,
const secp256k1_pubkey *label
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

#ifdef __cplusplus
}
#endif
Expand Down
69 changes: 69 additions & 0 deletions src/modules/silentpayments/main_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,4 +299,73 @@ int secp256k1_silentpayments_sender_create_outputs(
return 1;
}

/** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Label". */
static void secp256k1_silentpayments_sha256_init_label(secp256k1_sha256* hash) {
secp256k1_sha256_initialize(hash);
hash->s[0] = 0x26b95d63ul;
hash->s[1] = 0x8bf1b740ul;
hash->s[2] = 0x10a5986ful;
hash->s[3] = 0x06a387a5ul;
hash->s[4] = 0x2d1c1c30ul;
hash->s[5] = 0xd035951aul;
hash->s[6] = 0x2d7f0f96ul;
hash->s[7] = 0x29e3e0dbul;

hash->bytes = 64;
}

int secp256k1_silentpayments_recipient_create_label(const secp256k1_context *ctx, secp256k1_pubkey *label, unsigned char *label_tweak32, const unsigned char *recipient_scan_key32, const uint32_t m) {
secp256k1_sha256 hash;
unsigned char m_serialized[4];

/* Sanity check inputs. */
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(label != NULL);
ARG_CHECK(label_tweak32 != NULL);
ARG_CHECK(recipient_scan_key32 != NULL);

/* Compute label_tweak = hash(ser_256(b_scan) || ser_32(m)) [sha256 with tag "BIP0352/Label"] */
secp256k1_silentpayments_sha256_init_label(&hash);
secp256k1_sha256_write(&hash, recipient_scan_key32, 32);
secp256k1_write_be32(m_serialized, m);
secp256k1_sha256_write(&hash, m_serialized, sizeof(m_serialized));
secp256k1_sha256_finalize(&hash, label_tweak32);

/* Compute label = label_tweak * G */
return secp256k1_ec_pubkey_create(ctx, label, label_tweak32);
}

int secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(const secp256k1_context *ctx, secp256k1_pubkey *labeled_spend_pubkey, const secp256k1_pubkey *recipient_spend_pubkey, const secp256k1_pubkey *label) {
secp256k1_ge B_m, label_addend;
secp256k1_gej result_gej;
secp256k1_ge result_ge;
int ret;

/* Sanity check inputs. */
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(labeled_spend_pubkey != NULL);
ARG_CHECK(recipient_spend_pubkey != NULL);
ARG_CHECK(label != NULL);

/* Calculate B_m = B_spend + label
* If either the label or spend public key is an invalid public key,
* return early
*/
ret = secp256k1_pubkey_load(ctx, &B_m, recipient_spend_pubkey);
ret &= secp256k1_pubkey_load(ctx, &label_addend, label);
if (!ret) {
return ret;
}
secp256k1_gej_set_ge(&result_gej, &B_m);
secp256k1_gej_add_ge_var(&result_gej, &result_gej, &label_addend, NULL);
if (secp256k1_gej_is_infinity(&result_gej)) {
return 0;
}

secp256k1_ge_set_gej(&result_ge, &result_gej);
secp256k1_pubkey_save(labeled_spend_pubkey, &result_ge);

return 1;
}

#endif
27 changes: 27 additions & 0 deletions src/modules/silentpayments/tests_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,36 @@ static void test_send_api(void) {
}
}

static void test_label_api(void) {
secp256k1_pubkey l, s, ls, e; /* label pk, spend pk, labelled spend pk, expected labelled spend pk */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
secp256k1_pubkey l, s, ls, e; /* label pk, spend pk, labelled spend pk, expected labelled spend pk */
secp256k1_pubkey l, s, ls, e; /* label pk, spend pk, labeled spend pk, expected labeled spend pk */

unsigned char lt[32]; /* label tweak */
const unsigned char expected[33] = {
0x03,0xdc,0x7f,0x09,0x9a,0xbe,0x95,0x7a,
0x58,0x43,0xd2,0xb6,0xbb,0x35,0x79,0x61,
0x5c,0x60,0x36,0xa4,0x9b,0x86,0xf4,0xbe,
0x46,0x38,0x60,0x28,0xa8,0x1a,0x77,0xd4,0x91
};

/* Create a label and labelled spend public key, verify we get the expected result */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* Create a label and labelled spend public key, verify we get the expected result */
/* Create a label and labeled spend public key, verify we get the expected result */

CHECK(secp256k1_ec_pubkey_parse(CTX, &s, BOB_ADDRESS[1], 33));
CHECK(secp256k1_silentpayments_recipient_create_label(CTX, &l, lt, ALICE_SECKEY, 1));
CHECK(secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(CTX, &ls, &s, &l));
CHECK(secp256k1_ec_pubkey_parse(CTX, &e, expected, 33));
CHECK(secp256k1_ec_pubkey_cmp(CTX, &ls, &e) == 0);

/* Check null values are handled */
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_label(CTX, NULL, lt, ALICE_SECKEY, 1));
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_label(CTX, &l, NULL, ALICE_SECKEY, 1));
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_label(CTX, &l, lt, NULL, 1));
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(CTX, NULL, &s, &l));
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(CTX, &ls, NULL, &l));
CHECK_ILLEGAL(CTX, secp256k1_silentpayments_recipient_create_labeled_spend_pubkey(CTX, &ls, &s, NULL));
}

void run_silentpayments_tests(void) {
test_recipient_sort();
test_send_api();
test_label_api();
}

#endif