silentpayments: add sender routine

josibake · josibake · commit 71495dcdfa66 · 2024-04-24T10:07:06.000+02:00
Given a set of private keys, the smallest outpoint, and list of recipients this
function handles the entire sender flow:

1. Sum up the private keys
2. Calculate the input_hash
3. For each recipient:
    3a. Calculate a shared secret
    3b. Create the requested number of outputs

This function assumes a single sender context in that it requires the
sender to have access to all of the private keys. In the future, this
API may be expanded to allow for a multiple senders or for a single
sender who does not have access to all private keys at any given time,
but for now these modes are considered out of scope / unsafe.
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -40,6 +40,59 @@ typedef struct {
     size_t index;
 } secp256k1_silentpayments_recipient;
 
+/** Create Silent Payment outputs for recipient(s).
+ *
+ * Given a list of n private keys a_1...a_n (one for each silent payment
+ * eligible input to spend), a serialized outpoint, and a list of recipients,
+ * create the taproot outputs:
+ *
+ * a_sum = a_1 + a_2 + ... + a_n
+ * input_hash = hash(outpoint_smallest || (a_sum * G))
+ * taproot_output = B_spend + hash(a_sum * input_hash * B_scan || k) * G
+ *
+ * If necessary, the private keys are negated to enforce the right y-parity.
+ * For that reason, the private keys have to be passed in via two different parameter
+ * pairs, depending on whether they seckeys correspond to x-only outputs or not.
+ *
+ *  Returns: 1 if shared secret creation was successful. 0 if an error occured.
+ *   Args:                 ctx: pointer to a context object
+ *    Out:   generated_outputs: pointer to an array of pointers to xonly pubkeys, one per recipient.
+ *                              The order of outputs here matches the original ordering of the
+ *                              recipients array.
+ *     In:          recipients: pointer to an array of pointers to silent payment recipients,
+ *                              where each recipient is a scan public key, a spend public key, and
+ *                              an index indicating its position in the original ordering.
+ *                              The recipient array will be sorted in place, but generated outputs
+ *                              are saved in the `generated_outputs` array to match the ordering
+ *                              from the index field. This ensures the caller is able to match the
+ *                              generated outputs to the correct silent payment addresses. The same
+ *                              recipient can be passed multiple times to create multiple
+ *                              outputs for the same recipient.
+ *                n_recipients: the number of recipients. This is equal to the total
+ *                              number of outputs to be generated as each recipient may passed
+ *                              multiple times to generate multiple outputs for the same recipient
+ *         outpoint_smallest36: serialized smallest outpoint
+ *             taproot_seckeys: pointer to an array of pointers to 32-byte private keys
+ *                              of taproot inputs (can be NULL if no private keys of
+ *                              taproot inputs are used)
+ *           n_taproot_seckeys: the number of sender's taproot input private keys
+ *               plain_seckeys: pointer to an array of pointers to 32-byte private keys
+ *                              of non-taproot inputs (can be NULL if no private keys of
+ *                              non-taproot inputs are used)
+ *             n_plain_seckeys: the number of sender's non-taproot input private keys
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_create_outputs(
+    const secp256k1_context *ctx,
+    secp256k1_xonly_pubkey **generated_outputs,
+    const secp256k1_silentpayments_recipient **recipients,
+    size_t n_recipients,
+    const unsigned char *outpoint_smallest36,
+    const secp256k1_keypair * const *taproot_seckeys,
+    size_t n_taproot_seckeys,
+    const unsigned char * const *plain_seckeys,
+    size_t n_plain_seckeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -173,4 +173,94 @@ int secp256k1_silentpayments_create_output_pubkey(const secp256k1_context *ctx,
     return 1;
 }
 
+int secp256k1_silentpayments_sender_create_outputs(
+    const secp256k1_context *ctx,
+    secp256k1_xonly_pubkey **generated_outputs,
+    const secp256k1_silentpayments_recipient **recipients,
+    size_t n_recipients,
+    const unsigned char *outpoint_smallest36,
+    const secp256k1_keypair * const *taproot_seckeys,
+    size_t n_taproot_seckeys,
+    const unsigned char * const *plain_seckeys,
+    size_t n_plain_seckeys
+) {
+    size_t i, k;
+    secp256k1_scalar a_sum_scalar, addend;
+    secp256k1_ge A_sum_ge;
+    secp256k1_gej A_sum_gej;
+    unsigned char input_hash[32];
+    unsigned char a_sum[32];
+    unsigned char shared_secret[33];
+    secp256k1_silentpayments_recipient last_recipient;
+
+    /* Sanity check inputs. */
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(recipients != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(plain_seckeys == NULL || n_plain_seckeys >= 1);
+    ARG_CHECK(taproot_seckeys == NULL || n_taproot_seckeys >= 1);
+    ARG_CHECK((plain_seckeys != NULL) || (taproot_seckeys != NULL));
+    ARG_CHECK((n_plain_seckeys + n_taproot_seckeys) >= 1);
+    ARG_CHECK(outpoint_smallest36 != NULL);
+    /* ensure the index field is set correctly */
+    for (i = 0; i < n_recipients; i++) {
+        ARG_CHECK(recipients[i]->index == i);
+    }
+
+    /* Compute input private keys sum: a_sum = a_1 + a_2 + ... + a_n */
+    a_sum_scalar = secp256k1_scalar_zero;
+    for (i = 0; i < n_plain_seckeys; i++) {
+        int ret = secp256k1_scalar_set_b32_seckey(&addend, plain_seckeys[i]);
+        VERIFY_CHECK(ret);
+        (void)ret;
+
+        secp256k1_scalar_add(&a_sum_scalar, &a_sum_scalar, &addend);
+        VERIFY_CHECK(!secp256k1_scalar_is_zero(&a_sum_scalar));
+    }
+    /* private keys used for taproot outputs have to be negated if they resulted in an odd point */
+    for (i = 0; i < n_taproot_seckeys; i++) {
+        secp256k1_ge addend_point;
+        int ret = secp256k1_keypair_load(ctx, &addend, &addend_point, taproot_seckeys[i]);
+        VERIFY_CHECK(ret);
+        (void)ret;
+        /* declassify addend_point to allow using it as a branch point (this is fine because addend_point is not a secret) */
+        secp256k1_declassify(ctx, &addend_point, sizeof(addend_point));
+        secp256k1_fe_normalize_var(&addend_point.y);
+        if (secp256k1_fe_is_odd(&addend_point.y)) {
+            secp256k1_scalar_negate(&addend, &addend);
+        }
+
+        secp256k1_scalar_add(&a_sum_scalar, &a_sum_scalar, &addend);
+        VERIFY_CHECK(!secp256k1_scalar_is_zero(&a_sum_scalar));
+    }
+    if (secp256k1_scalar_is_zero(&a_sum_scalar)) {
+        /* TODO: do we need a special error return code for this case? */
+        return 0;
+    }
+    secp256k1_scalar_get_b32(a_sum, &a_sum_scalar);
+
+    /* Compute input_hash = hash(outpoint_L || (a_sum * G)) */
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &A_sum_gej, &a_sum_scalar);
+    secp256k1_ge_set_gej(&A_sum_ge, &A_sum_gej);
+    secp256k1_silentpayments_calculate_input_hash(input_hash, outpoint_smallest36, &A_sum_ge);
+    secp256k1_silentpayments_recipient_sort(ctx, recipients, n_recipients);
+    last_recipient = *recipients[0];
+    k = 0;
+    for (i = 0; i < n_recipients; i++) {
+        if ((secp256k1_ec_pubkey_cmp(ctx, &last_recipient.scan_pubkey, &recipients[i]->scan_pubkey) != 0) || (i == 0)) {
+            /* if we are on a different scan pubkey, its time to recreate the the shared secret and reset k to 0 */
+            if (!secp256k1_silentpayments_create_shared_secret(ctx, shared_secret, a_sum, &recipients[i]->scan_pubkey, input_hash)) {
+                return 0;
+            }
+            k = 0;
+        }
+        if (!secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret, &recipients[i]->spend_pubkey, k)) {
+            return 0;
+        }
+        k++;
+        last_recipient = *recipients[i];
+    }
+    return 1;
+}
+
 #endif
