silentpayments: add private tweak data creation routine

theStack · theStack · commit 759eb1f2eeab · 2023-12-23T16:51:08.000+01:00
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -28,7 +28,38 @@ extern "C" {
  * operations.
  */
 
-/* TODO: add function API for sender side. */
+/** Create Silent Payment tweak data from input private keys.
+ *
+ * Given a list of n private keys a_0...a_(n-1) (one for each input to spend)
+ * and an outpoints_hash, compute the corresponding input private keys tweak data:
+ *
+ * a_tweaked = (a_0 + a_1 + ... a_(n-1)) * outpoints_hash
+ *
+ * If necessary, the private keys are negated to enforce the right y-parity.
+ * For that reason, the private keys have to be passed in via two different parameter
+ * pairs, depending on whether they were used for creating taproot outputs or not.
+ * The resulting data is needed to create a shared secret for the sender side.
+ *
+ *  Returns: 1 if shared secret creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:          tweak_data32: pointer to the resulting 32-byte tweak data
+ *  In:          plain_seckeys: pointer to an array of 32-byte private keys of non-taproot inputs
+ *                              (can be NULL if no private keys of non-taproot inputs are used)
+ *             n_plain_seckeys: the number of sender's non-taproot input private keys
+ *             taproot_seckeys: pointer to an array of 32-byte private keys of taproot inputs
+ *                              (can be NULL if no private keys of taproot inputs are used)
+ *           n_taproot_seckeys: the number of sender's taproot input private keys
+ *            outpoints_hash32: hash of the sorted serialized outpoints
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_private_tweak_data(
+    const secp256k1_context *ctx,
+    unsigned char *tweak_data32,
+    const unsigned char *plain_seckeys,
+    size_t n_plain_seckeys,
+    const unsigned char *taproot_seckeys,
+    size_t n_taproot_seckeys,
+    const unsigned char *outpoints_hash32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(7);
 
 /* TODO: add function API for receiver side. */
 
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -9,7 +9,66 @@
 #include "../../../include/secp256k1.h"
 #include "../../../include/secp256k1_silentpayments.h"
 
-/* TODO: implement functions for sender side. */
+int secp256k1_silentpayments_create_private_tweak_data(const secp256k1_context *ctx, unsigned char *tweak_data32, const unsigned char *plain_seckeys, size_t n_plain_seckeys, const unsigned char *taproot_seckeys, size_t n_taproot_seckeys, const unsigned char *outpoints_hash32) {
+    size_t i;
+    unsigned char a_tweaked[32];
+
+    /* Sanity check inputs. */
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(tweak_data32 != NULL);
+    memset(tweak_data32, 0, 32);
+    ARG_CHECK(plain_seckeys == NULL || n_plain_seckeys >= 1);
+    ARG_CHECK(taproot_seckeys == NULL || n_taproot_seckeys >= 1);
+    ARG_CHECK((plain_seckeys != NULL) || (taproot_seckeys != NULL));
+    ARG_CHECK((n_plain_seckeys + n_taproot_seckeys) >= 1);
+    ARG_CHECK(outpoints_hash32 != NULL);
+
+    /* Compute input private keys tweak: a_tweaked = (a_0 + a_1 + ... + a_(n-1)) * outpoints_hash */
+    for (i = 0; i < n_plain_seckeys; i++) {
+        const unsigned char *seckey_to_add = &plain_seckeys[i*32];
+        if (i == 0) {
+            memcpy(a_tweaked, seckey_to_add, 32);
+            continue;
+        }
+        if (!secp256k1_ec_seckey_tweak_add(ctx, a_tweaked, seckey_to_add)) {
+            return 0;
+        }
+    }
+    /* private keys used for taproot outputs have to be negated if they resulted in an odd point */
+    for (i = 0; i < n_taproot_seckeys; i++) {
+        unsigned char seckey_to_add[32];
+        secp256k1_pubkey pubkey;
+        secp256k1_ge ge;
+
+        memcpy(seckey_to_add, &taproot_seckeys[32*i], 32);
+        if (!secp256k1_ec_pubkey_create(ctx, &pubkey, seckey_to_add)) {
+            return 0;
+        }
+        if (!secp256k1_pubkey_load(ctx, &ge, &pubkey)) {
+            return 0;
+        }
+        if (secp256k1_fe_is_odd(&ge.y)) {
+            if (!secp256k1_ec_seckey_negate(ctx, seckey_to_add)) {
+                return 0;
+            }
+        }
+
+        if (i == 0 && n_plain_seckeys == 0) {
+            memcpy(a_tweaked, seckey_to_add, 32);
+            continue;
+        }
+        if (!secp256k1_ec_seckey_tweak_add(ctx, a_tweaked, seckey_to_add)) {
+            return 0;
+        }
+    }
+
+    if (!secp256k1_ec_seckey_tweak_mul(ctx, a_tweaked, outpoints_hash32)) {
+        return 0;
+    }
+
+    memcpy(tweak_data32, a_tweaked, 32);
+    return 1;
+}
 
 /* TODO: implement functions for receiver side. */
 
