silentpayments: add shared secret creation routine for sender (a*B)

Author: theStack

include/secp256k1_silentpayments.h

@@ -2,6 +2,7 @@
 #define SECP256K1_SILENTPAYMENTS_H
 
 #include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -61,6 +62,30 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_p
     const unsigned char *outpoints_hash32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(7);
 
+/** Create Silent Payment shared secret for the sender side.
+ *
+ * Given private input tweak data a_tweaked a recipient's scan public key B_scan,
+ * compute the corresponding shared secret using ECDH:
+ *
+ * shared_secret = a_tweaked * B_scan
+ * (where a_tweaked = (a_0 + a_1 + ... a_(n-1)) * outpoints_hash)
+ *
+ * The resulting data is needed as input for creating silent payments outputs
+ * belonging to the same receiver scan public key.
+ *
+ *  Returns: 1 if shared secret creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:       shared_secret33: pointer to the resulting 33-byte shared secret
+ *  In:           tweak_data32: pointer to 32-byte private input tweak data
+ *        receiver_scan_pubkey: pointer to the receiver's scan pubkey
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_send_create_shared_secret(
+    const secp256k1_context *ctx,
+    unsigned char *shared_secret33,
+    const unsigned char *tweak_data32,
+    const secp256k1_pubkey *receiver_scan_pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 /* TODO: add function API for receiver side. */
 
 #ifdef __cplusplus

src/modules/silentpayments/main_impl.h

@@ -7,8 +7,35 @@
 #define SECP256K1_MODULE_SILENTPAYMENTS_MAIN_H
 
 #include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_ecdh.h"
+#include "../../../include/secp256k1_extrakeys.h"
 #include "../../../include/secp256k1_silentpayments.h"
 
+/* secp256k1_ecdh expects a hash function to be passed in or uses its default
+ * hashing function. We don't want to hash the ECDH result, so we define a
+ * custom function which simply returns the pubkey without hashing.
+ */
+static int ecdh_return_pubkey(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {
+    secp256k1_pubkey pubkey;
+    unsigned char uncompressed_pubkey[65];
+    size_t outputlen = 33;
+    (void)data;
+
+    uncompressed_pubkey[0] = 0x04;
+    memcpy(uncompressed_pubkey + 1, x32, 32);
+    memcpy(uncompressed_pubkey + 33, y32, 32);
+
+    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, uncompressed_pubkey, 65)) {
+        return 0;
+    }
+
+    if (!secp256k1_ec_pubkey_serialize(secp256k1_context_static, output, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED)) {
+        return 0;
+    }
+
+    return 1;
+}
+
 int secp256k1_silentpayments_create_private_tweak_data(const secp256k1_context *ctx, unsigned char *tweak_data32, const unsigned char *plain_seckeys, size_t n_plain_seckeys, const unsigned char *taproot_seckeys, size_t n_taproot_seckeys, const unsigned char *outpoints_hash32) {
     size_t i;
     unsigned char a_tweaked[32];
@@ -70,6 +97,20 @@ int secp256k1_silentpayments_create_private_tweak_data(const secp256k1_context *
     return 1;
 }
 
+int secp256k1_silentpayments_send_create_shared_secret(const secp256k1_context *ctx, unsigned char *shared_secret33, const unsigned char *tweak_data32, const secp256k1_pubkey *receiver_scan_pubkey) {
+    /* Sanity check inputs */
+    ARG_CHECK(shared_secret33 != NULL);
+    memset(shared_secret33, 0, 33);
+    ARG_CHECK(receiver_scan_pubkey != NULL);
+
+    /* Compute shared_secret = a_tweaked * B_scan */
+    if (!secp256k1_ecdh(ctx, shared_secret33, receiver_scan_pubkey, tweak_data32, ecdh_return_pubkey, NULL)) {
+        return 0;
+    }
+
+    return 1;
+}
+
 /* TODO: implement functions for receiver side. */
 
 #endif