silentpayments: add recipient label support

theStack · josibake · commit 987d829e8fae · 2024-04-19T14:21:00.000+02:00
Add function for creating a label tweak. This requires a tagged hash
function for labels. This function is used by the receiver for creating
labels to be used for a) creating labelled addresses and b) to populate
a labels cache when scanning.

Add function for creating a labelled spend pubkey. This involves taking
a label tweak, turning it into a public key and adding it to the spend
public key. This function is used by the receiver to create a labelled
silent payment address.
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -93,6 +93,51 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_c
     size_t n_plain_seckeys
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
 
+/** Create Silent Payment label tweak and label.
+ *
+ *  Given a recipient's scan private key b_scan and a label integer m, calculate
+ *  the corresponding label tweak and label:
+ *
+ *  label_tweak = hash(b_scan || m)
+ *  label = label_tweak * G
+ *
+ *  Returns: 1 if label tweak and label creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:           label_tweak: pointer to the resulting label tweak
+ *   In:  receiver_scan_seckey: pointer to the receiver's scan private key
+ *                           m: label integer (0 is used for change outputs)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_recipient_create_label_tweak(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *label,
+    unsigned char *label_tweak32,
+    const unsigned char *receiver_scan_seckey,
+    unsigned int m
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Create Silent Payment labelled spend public key.
+ *
+ *  Given a recipient's spend public key B_spend and a label, calculate
+ *  the corresponding serialized labelled spend public key:
+ *
+ *  B_m = B_spend + label
+ *
+ *  The result is used by the recipient to create a Silent Payment address, consisting
+ *  of the serialized and concatenated scan public key and (labelled) spend public key each.
+ *
+ *  Returns: 1 if labelled spend public key creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out: l_addr_spend_pubkey33: pointer to the resulting labelled spend public key
+ *   In: receiver_spend_pubkey: pointer to the receiver's spend pubkey
+ *                       label: pointer to the the receiver's label
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_recipient_create_labelled_spend_pubkey(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *labeled_spend_pubkey,
+    const secp256k1_pubkey *receiver_spend_pubkey,
+    const secp256k1_pubkey *label
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -263,4 +263,69 @@ int secp256k1_silentpayments_sender_create_outputs(
     return 1;
 }
 
+/** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Label". */
+static void secp256k1_silentpayments_sha256_init_label(secp256k1_sha256* hash) {
+    secp256k1_sha256_initialize(hash);
+    hash->s[0] = 0x26b95d63ul;
+    hash->s[1] = 0x8bf1b740ul;
+    hash->s[2] = 0x10a5986ful;
+    hash->s[3] = 0x06a387a5ul;
+    hash->s[4] = 0x2d1c1c30ul;
+    hash->s[5] = 0xd035951aul;
+    hash->s[6] = 0x2d7f0f96ul;
+    hash->s[7] = 0x29e3e0dbul;
+
+    hash->bytes = 64;
+}
+
+int secp256k1_silentpayments_recipient_create_label_tweak(const secp256k1_context *ctx, secp256k1_pubkey *label, unsigned char *label_tweak32, const unsigned char *receiver_scan_seckey, unsigned int m) {
+    secp256k1_sha256 hash;
+    unsigned char m_serialized[4];
+
+    /* Sanity check inputs. */
+    VERIFY_CHECK(ctx != NULL);
+    (void)ctx;
+    VERIFY_CHECK(label != NULL);
+    VERIFY_CHECK(label_tweak32 != NULL);
+    VERIFY_CHECK(receiver_scan_seckey != NULL);
+
+    /* Compute label_tweak = hash(ser_256(b_scan) || ser_32(m))  [sha256 with tag "BIP0352/Label"] */
+    secp256k1_silentpayments_sha256_init_label(&hash);
+    secp256k1_sha256_write(&hash, receiver_scan_seckey, 32);
+    secp256k1_write_be32(m_serialized, m);
+    secp256k1_sha256_write(&hash, m_serialized, sizeof(m_serialized));
+    secp256k1_sha256_finalize(&hash, label_tweak32);
+
+    /* Compute label = label_tweak * G */
+    if (!secp256k1_ec_pubkey_create(ctx, label, label_tweak32)) {
+        return 0;
+    }
+
+    return 1;
+}
+
+int secp256k1_silentpayments_recipient_create_labelled_spend_pubkey(const secp256k1_context *ctx, secp256k1_pubkey *labeled_spend_pubkey, const secp256k1_pubkey *receiver_spend_pubkey, const secp256k1_pubkey *label) {
+    secp256k1_ge B_m, label_addend;
+    secp256k1_gej result_gej;
+    secp256k1_ge result_ge;
+
+    /* Sanity check inputs. */
+    VERIFY_CHECK(ctx != NULL);
+    VERIFY_CHECK(labeled_spend_pubkey != NULL);
+    VERIFY_CHECK(receiver_spend_pubkey != NULL);
+    VERIFY_CHECK(label != NULL);
+
+    /* Calculate B_m = B_spend + label */
+    secp256k1_pubkey_load(ctx, &B_m, receiver_spend_pubkey);
+    secp256k1_pubkey_load(ctx, &label_addend, label);
+    secp256k1_gej_set_ge(&result_gej, &B_m);
+    secp256k1_gej_add_ge_var(&result_gej, &result_gej, &label_addend, NULL);
+
+    /* Serialize B_m */
+    secp256k1_ge_set_gej(&result_ge, &result_gej);
+    secp256k1_pubkey_save(labeled_spend_pubkey, &result_ge);
+
+    return 1;
+}
+
 #endif
