add secp256k1_silentpayments_sender_create_outputs_with_proof

stratospher · stratospher · commit c5db9222b38a · 2025-09-29T13:46:02.000+05:30
- add new API which returns DLEQ proofs along with outputs for recipients
- the existing API secp256k1_silentpayments_sender_create_outputs simply
  calls secp256k1_silentpayments_sender_create_outputs_with_proof
  internally.
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -142,6 +142,36 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_c
     size_t n_plain_seckeys
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
 
+/** Create Silent Payment outputs and associated DLEQ proof(s) for recipient(s).
+ *
+ * Similar to secp256k1_silentpayments_sender_create_outputs,
+ * but also returns information about associated DLEQ proof.
+ *
+ *  Returns: 1 if creation of outputs was successful. 0 if an error occurred.
+ *  Args:                ctx: pointer to a context object
+ *  Out:   generated_outputs: pointer to an array of pointers to xonly pubkeys,
+ *                            one per recipient.
+ *                            The order of outputs here matches the original
+ *                            ordering of the recipients array.
+ *                dleq_data: pointer to an array of pointers to secp256k1_silentpayments_dleq_data,
+ *                            one per unique recipient.
+ *               n_dleq_size: number of DLEQ proofs generated (equivalent to number of unique recipients)
+ *  In: See input parameters in secp256k1_silentpayments_sender_create_outputs
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_create_outputs_with_proof(
+        const secp256k1_context *ctx,
+        secp256k1_xonly_pubkey **generated_outputs,
+        secp256k1_silentpayments_dleq_data **dleq_data,
+        size_t *n_dleq_size,
+        const secp256k1_silentpayments_recipient **recipients,
+        size_t n_recipients,
+        const unsigned char *outpoint_smallest36,
+        const secp256k1_keypair * const *taproot_seckeys,
+        size_t n_taproot_seckeys,
+        const unsigned char * const *plain_seckeys,
+        size_t n_plain_seckeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7);
+
 /** Create Silent Payment label tweak and label.
  *
  *  Given a recipient's 32 byte scan key and a label integer m, calculate the
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -211,9 +211,11 @@ static int secp256k1_silentpayments_create_output_pubkey(const secp256k1_context
     return 1;
 }
 
-int secp256k1_silentpayments_sender_create_outputs(
+int secp256k1_silentpayments_sender_create_outputs_with_proof(
     const secp256k1_context *ctx,
     secp256k1_xonly_pubkey **generated_outputs,
+    secp256k1_silentpayments_dleq_data **dleq_data,
+    size_t *n_dleq_size,
     const secp256k1_silentpayments_recipient **recipients,
     size_t n_recipients,
     const unsigned char *outpoint_smallest36,
@@ -226,9 +228,13 @@ int secp256k1_silentpayments_sender_create_outputs(
     secp256k1_scalar seckey_sum_scalar, addend, input_hash_scalar;
     secp256k1_ge prevouts_pubkey_sum_ge;
     secp256k1_gej prevouts_pubkey_sum_gej;
-    unsigned char shared_secret[33];
+    secp256k1_ge shared_secret;
+    unsigned char shared_secret33[33];
+    unsigned char proof64[64];
     secp256k1_pubkey current_scan_pubkey;
-    int ret, sum_is_zero;
+    int ret = 0, sum_is_zero;
+    int j = 0;
+    size_t len;
 
     /* Sanity check inputs. */
     VERIFY_CHECK(ctx != NULL);
@@ -328,21 +334,57 @@ int secp256k1_silentpayments_sender_create_outputs(
                 secp256k1_memclear_explicit(&shared_secret, sizeof(shared_secret));
                 return 0;
             }
-            secp256k1_silentpayments_create_shared_secret(ctx, shared_secret, &pk, &seckey_sum_scalar);
+            /* Compute shared_secret = tweaked_secret_component * Public_component */
+            secp256k1_silentpayments_create_shared_secret_with_proof(ctx, proof64, &shared_secret, &pk, &seckey_sum_scalar);
+            if (dleq_data != NULL) {
+                secp256k1_pubkey pubkey;
+                size_t pklen = 33;
+                secp256k1_pubkey_save(&pubkey, &shared_secret);
+                secp256k1_ec_pubkey_serialize(ctx, dleq_data[j]->shared_secret, &pklen, &pubkey, SECP256K1_EC_COMPRESSED);
+                memcpy(dleq_data[j]->proof, proof64, 64);
+                dleq_data[j]->index = recipients[i]->index;
+            }
+            /* This can only fail if the shared secret is the point at infinity, which should be
+             * impossible at this point, considering we have already validated the public key and
+             * the secret key being used
+            */
+            ret = secp256k1_eckey_pubkey_serialize(&shared_secret, shared_secret33, &len, 1);
+            VERIFY_CHECK(ret && len == 33);
             k = 0;
+            j++;
         }
-        if (!secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret, &recipients[i]->spend_pubkey, k)) {
+        if (!secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret33, &recipients[i]->spend_pubkey, k)) {
             secp256k1_scalar_clear(&seckey_sum_scalar);
             secp256k1_memclear_explicit(&shared_secret, sizeof(shared_secret));
             return 0;
         }
         VERIFY_CHECK(k < SIZE_MAX);
+        ret &= secp256k1_silentpayments_create_output_pubkey(ctx, generated_outputs[recipients[i]->index], shared_secret33, &recipients[i]->spend_pubkey, k);
         k++;
         current_scan_pubkey = recipients[i]->scan_pubkey;
     }
+    *n_dleq_size = j;
     secp256k1_scalar_clear(&seckey_sum_scalar);
-    secp256k1_memclear_explicit(&shared_secret, sizeof(shared_secret));
-    return 1;
+    secp256k1_ge_clear(&shared_secret);
+    secp256k1_memclear_explicit(&shared_secret33, sizeof(shared_secret33));
+    return ret;
+}
+
+int secp256k1_silentpayments_sender_create_outputs(
+
+
+        const secp256k1_context *ctx,
+        secp256k1_xonly_pubkey **generated_outputs,
+        const secp256k1_silentpayments_recipient **recipients,
+        size_t n_recipients,
+        const unsigned char *outpoint_smallest36,
+        const secp256k1_keypair * const *taproot_seckeys,
+        size_t n_taproot_seckeys,
+        const unsigned char * const *plain_seckeys,
+        size_t n_plain_seckeys
+) {
+    size_t n_dleq_size;
+    return secp256k1_silentpayments_sender_create_outputs_with_proof(ctx, generated_outputs, NULL, &n_dleq_size, recipients, n_recipients, outpoint_smallest36, taproot_seckeys, n_taproot_seckeys, plain_seckeys, n_plain_seckeys);
 }
 
 /** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Label". */
