silentpayments: add shared secret creation routine for sender (a*B)

Author: theStack

include/secp256k1_silentpayments.h

@@ -2,6 +2,7 @@
 #define SECP256K1_SILENTPAYMENTS_H
 
 #include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -64,6 +65,30 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_p
     const unsigned char *outpoint_smallest36
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(7);
 
+/** Create Silent Payment shared secret for the sender side.
+ *
+ * Given private input tweak data a_tweaked and a recipient's scan public key B_scan,
+ * compute the corresponding shared secret using ECDH:
+ *
+ * shared_secret = a_tweaked * B_scan
+ * (where a_tweaked = (a_1 + a_2 + ... + a_n) * input_hash)
+ *
+ * The resulting data is needed as input for creating silent payments outputs
+ * belonging to the same receiver scan public key.
+ *
+ *  Returns: 1 if shared secret creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:       shared_secret33: pointer to the resulting 33-byte shared secret
+ *  In:   private_tweak_data32: pointer to 32-byte private input tweak data
+ *        receiver_scan_pubkey: pointer to the receiver's scan pubkey
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_send_create_shared_secret(
+    const secp256k1_context *ctx,
+    unsigned char *shared_secret33,
+    const unsigned char *private_tweak_data32,
+    const secp256k1_pubkey *receiver_scan_pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 /* TODO: add function API for receiver side. */
 
 #ifdef __cplusplus

src/modules/silentpayments/main_impl.h

@@ -7,6 +7,8 @@
 #define SECP256K1_MODULE_SILENTPAYMENTS_MAIN_H
 
 #include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_ecdh.h"
+#include "../../../include/secp256k1_extrakeys.h"
 #include "../../../include/secp256k1_silentpayments.h"
 
 /** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Inputs". */
@@ -102,6 +104,46 @@ int secp256k1_silentpayments_create_private_tweak_data(const secp256k1_context *
     return 1;
 }
 
+/* secp256k1_ecdh expects a hash function to be passed in or uses its default
+ * hashing function. We don't want to hash the ECDH result, so we define a
+ * custom function which simply returns the pubkey without hashing.
+ */
+static int secp256k1_silentpayments_ecdh_return_pubkey(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {
+    secp256k1_ge point;
+    secp256k1_fe x, y;
+    size_t ser_size;
+    int ser_ret;
+
+    (void)data;
+    /* Parse point as group element */
+    if (!secp256k1_fe_set_b32_limit(&x, x32) || !secp256k1_fe_set_b32_limit(&y, y32)) {
+        return 0;
+    }
+    secp256k1_ge_set_xy(&point, &x, &y);
+
+    /* Serialize as compressed pubkey */
+    ser_ret = secp256k1_eckey_pubkey_serialize(&point, output, &ser_size, 1);
+    VERIFY_CHECK(ser_ret && ser_size == 33);
+    (void)ser_ret;
+
+    return 1;
+}
+
+int secp256k1_silentpayments_send_create_shared_secret(const secp256k1_context *ctx, unsigned char *shared_secret33, const unsigned char *private_tweak_data32, const secp256k1_pubkey *receiver_scan_pubkey) {
+    /* Sanity check inputs */
+    ARG_CHECK(shared_secret33 != NULL);
+    memset(shared_secret33, 0, 33);
+    ARG_CHECK(private_tweak_data32 != NULL);
+    ARG_CHECK(receiver_scan_pubkey != NULL);
+
+    /* Compute shared_secret = a_tweaked * B_scan */
+    if (!secp256k1_ecdh(ctx, shared_secret33, receiver_scan_pubkey, private_tweak_data32, secp256k1_silentpayments_ecdh_return_pubkey, NULL)) {
+        return 0;
+    }
+
+    return 1;
+}
+
 /* TODO: implement functions for receiver side. */
 
 #endif