silentpayments: add public tweak data creation routine

theStack · theStack · commit adff4debb24d · 2023-12-23T16:52:38.000+01:00
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -86,7 +86,38 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_send_cre
     const secp256k1_pubkey *receiver_scan_pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
-/* TODO: add function API for receiver side. */
+/** Create Silent Payment tweak data from input public keys.
+ *
+ * Given a list of n public keys A_0...A_(n-1) (one for each input to spend)
+ * and an outpoints_hash, compute the corresponding input public keys tweak data:
+ *
+ * A_tweaked = (A_0 + A_1 + ... A_(n-1)) * outpoints_hash
+ *
+ * If necessary, the public keys are negated to enforce the right y-parity.
+ * For that reason, the public keys have to be passed in via two different parameter
+ * pairs, depending on whether they were used for creating taproot outputs or not.
+ * The resulting data is needed to create a shared secret for the receiver's side.
+ *
+ *  Returns: 1 if tweak data creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:          tweak_data33: pointer to the resulting 33-byte tweak data
+ *  In:          plain_pubkeys: pointer to an array of non-taproot public keys
+ *                              (can be NULL if no non-taproot inputs are used)
+ *             n_plain_pubkeys: the number of non-taproot input public keys
+ *               xonly_pubkeys: pointer to an array of taproot x-only public keys
+ *                              (can be NULL if no taproot input public keys are used)
+ *             n_xonly_pubkeys: the number of taproot input public keys
+ *            outpoints_hash32: hash of the sorted serialized outpoints
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_public_tweak_data(
+    const secp256k1_context *ctx,
+    unsigned char *tweak_data33,
+    const secp256k1_pubkey *plain_pubkeys,
+    size_t n_plain_pubkeys,
+    const secp256k1_xonly_pubkey *xonly_pubkeys,
+    size_t n_xonly_pubkeys,
+    const unsigned char *outpoints_hash32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(7);
 
 #ifdef __cplusplus
 }
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -111,6 +111,74 @@ int secp256k1_silentpayments_send_create_shared_secret(const secp256k1_context *
     return 1;
 }
 
+int secp256k1_silentpayments_create_public_tweak_data(const secp256k1_context *ctx, unsigned char *tweak_data33, const secp256k1_pubkey *plain_pubkeys, size_t n_plain_pubkeys, const secp256k1_xonly_pubkey *xonly_pubkeys, size_t n_xonly_pubkeys, const unsigned char *outpoints_hash32) {
+    size_t i;
+    secp256k1_pubkey A_tweaked;
+    size_t outputlen = 33;
+
+    /* Sanity check inputs */
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(tweak_data33 != NULL);
+    memset(tweak_data33, 0, 33);
+    ARG_CHECK(plain_pubkeys == NULL || n_plain_pubkeys >= 1);
+    ARG_CHECK(xonly_pubkeys == NULL || n_xonly_pubkeys >= 1);
+    ARG_CHECK((plain_pubkeys != NULL) || (xonly_pubkeys != NULL));
+    ARG_CHECK((n_plain_pubkeys + n_xonly_pubkeys) >= 1);
+    ARG_CHECK(outpoints_hash32 != NULL);
+
+    /* Compute input public keys tweak: A_tweaked = (A_0 + A_1 + ... + A_n) * outpoints_hash */
+    for (i = 0; i < n_plain_pubkeys; i++) {
+        secp256k1_pubkey combined;
+        const secp256k1_pubkey *addends[2];
+        if (i == 0) {
+            A_tweaked = plain_pubkeys[0];
+            continue;
+        }
+        addends[0] = &A_tweaked;
+        addends[1] = &plain_pubkeys[i];
+        if (!secp256k1_ec_pubkey_combine(ctx, &combined, addends, 2)) {
+            return 0;
+        }
+        A_tweaked = combined;
+    }
+    /* X-only public keys have to be converted to regular public keys (assuming even parity) */
+    for (i = 0; i < n_xonly_pubkeys; i++) {
+        unsigned char pubkey_to_add_ser[33];
+        secp256k1_pubkey combined, pubkey_to_add;
+        const secp256k1_pubkey *addends[2];
+
+        pubkey_to_add_ser[0] = 0x02;
+        if (!secp256k1_xonly_pubkey_serialize(ctx, &pubkey_to_add_ser[1], &xonly_pubkeys[i])) {
+            return 0;
+        }
+        if (!secp256k1_ec_pubkey_parse(ctx, &pubkey_to_add, pubkey_to_add_ser, 33)) {
+            return 0;
+        }
+
+        if (i == 0 && n_plain_pubkeys == 0) {
+            A_tweaked = pubkey_to_add;
+            continue;
+        }
+        addends[0] = &A_tweaked;
+        addends[1] = &pubkey_to_add;
+        if (!secp256k1_ec_pubkey_combine(ctx, &combined, addends, 2)) {
+            return 0;
+        }
+        A_tweaked = combined;
+    }
+
+    if (!secp256k1_ec_pubkey_tweak_mul(ctx, &A_tweaked, outpoints_hash32)) {
+        return 0;
+    }
+
+    /* Serialize tweak_data */
+    if (!secp256k1_ec_pubkey_serialize(ctx, tweak_data33, &outputlen, &A_tweaked, SECP256K1_EC_COMPRESSED)) {
+        return 0;
+    }
+
+    return 1;
+}
+
 /* TODO: implement functions for receiver side. */
 
 #endif
