Updated 6264c3d -> 9e85256 (2025_00 -> 2025_01, compare)

• Added documentation for expectations around label_lookup pointer lifetimes (h/t @antonilol)
• Update docs to accurately reflect that label_context is optional (h/t @antonilol)
• Added a test case for passing a lookup callback with a null context (which required some small updates to the test label lookup function)

Sorry, stopping CI here. We're about to make a release and need to the CI. :)

We'll restart the jobs here afterwards.

Update 9e85256 -> a4db279 (2025_01 -> 2025_02, compare)

• Update the constant time tests to cover the _recipient_created_shared_secret and _recipient_created_output_pubkey functions (h/t @theStack )
• Remove no longer needed TODO comments and clarify why a constant time test without a label lookup function is sufficient for _recipient_scan_outputs

Rebased on top of 0.7.0 release 🎉 a4db279 -> e35bede (2025_02 -> 2025_02_rebase, compare)

I did a deep dive on using (*arg)[size] in this PR and opened #1710 for discussion, since this is a broader topic than just this PR. The relevant changes for here and the downstream Bitcoin Core PRs are josibake@5a10880 and josibake/bitcoin@5835d98

Updated e35bede -> 1a84908 (2025_02_rebase -> 2025_03, compare)

• Added a test case for the _recipient_create_output_pubkey corner case (h/t @theStack)
• Removed the VERIFY_CHECK in favour of returning an error

Update 1a84908 -> 2948a9b (2025_03 -> 2025_04, compare)

• Fixed valgrind error in test
• Update the example to use EXIT_SUCCESS/EXIT_FAILURE (h/t @theStack)
• Clear shared secret variable consistently (and update comment) (h/t @theStack)
• Add comment explaining why we declassify the pubkey sum (h/t @theStack)

Thanks for the thorough review, @theStack !

Update 2948a9b -> 64ecd6c (2025_04 -> 2025_05, compare)

• Remove no longer needed TODO comment regarding _cmov
• Remove todo comment regarding input_hash, now that this is properly specified in the BIP

cc @jonasnick and @real-or-random regarding the use of a VERIFY_CHECK in favour of returning an error, when returning an error results in an untestable branch. I'm happy with the approach here were we use a VERIFY_CHECK for input_hash and t_k to check for an overflow of the curve order. However, given this is something we've discussed a few times in the post, would be great to hear your thoughts on this and I'm happy to defer to whatever you both think is best.

This should address all of the outstanding TODOs (at least the ones we left comments for 😅 )

Updated 64ecd6c -> 3c4af8f (2025_05 -> 2025_06, compare)

• Updates the benchmarks per @theStack 's suggestion to have separate benchmarks for _full_scan and full_scan_with_labels
• Leave a TODO comment for a follow-up to make the labels benchmark more representative of real world usage
• Cleans up the benchmark arguments and formatting

I pushed some (totally non-essential) fixup suggestions for the Python code to https://github.com/real-or-random/secp256k1/tree/bip352-silentpayments-module-2025-vector-fixups .

Related to this: I see why we need the ripemd160 and bech32m Python modules to parse addresses from the test vectors JSON file. This feels a bit wrong. This SP module covers some cryptographic core of SP, which does not deal with address encoding issues. So these files belong to full wallet implementations such as Bitcoin Core (where you got them from, I assume).

The only way around this that I see is that the intermediate results computed from the addresses (i.e., the extracted input pubkeys) would additionally be included in the JSON file. Do you think that would be a reasonable solution and acceptable from your point of view as a BIP author? Are there any drawbacks to this? I don't see any, but I might be missing something.

edit: Oh, or we could compute the input pubkeys from the seckeys in the JSON. Preferably in the C tests because this will require no Python EC code.

(It's not the end of the world to have this in our repo. I think this is my tendency as a maintainer to avoid code. The more code we have, the more we'll need to maintain.)

Some style things:

Thanks for the feedback! Agree with all of your points and will implement. Regarding keeping notation in line with the BIP or removing entirely, I'd prefer to avoid the BIP as much as possible. As you said, the API should be understandable without the BIP.

How the BIP and module are written today is more of a historic "oopsie." Ideally, the protocol should have been specified in a more module way, i.e., a cryptographic primitive (lets call it "non-interactive-payment", or "multiparty ECDH") and then a Bitcoin specific BIP that specifies how to use this NIP/MPECDH crypto primitive in a bitcoin specific context.

TLDR; I think we should keep this module more aligned with how things "should" have been done.

intermediate results computed from the addresses (i.e., the extracted input pubkeys) would additionally be included in the JSON file. Do you think that would be a reasonable solution and acceptable from your point of view as a BIP author? Are there any drawbacks to this? I don't see any, but I might be missing something.

Regarding the tests, I'd love to rip out all the Bitcoin specific python code. I dont see any drawbacks toward including intermediary results in the test files, and this would also be useful for index builders wishing to reuse the same set of test vectors. I've had a TODO for awhile now to update the BIP test vectors; I'll prioritise that work and update the PR here.

As always, thanks for the thorough review! I had one question that I'd like your input on, otherwise I'll work on implementing the rest of your feedback over the next couple days.

Rebased 2164d5c -> bd745e1 (2025_15 -> 2025_15-rebased, compare)

Rebased on master to include #1725

Updated bd745e1 -> d7281b9 (2025_15-rebased -> 2025_16, compare)

• Removed the workaround for the valgrind false positive 🎉
• s/public_data/prevout_summary/ (h/t @real-or-random)
• Update functions that either output or take a prevout_summary object as input to be a proper lazy evaluation (h/t @real-or-random)
• Avoid using BIP specific variable names, e.g., s/B_m/labeled_spend_pubkey/ etc (h/t @real-or-random)
• Clean up comments to use proper punctuation and full sentences (h/t @real-or-random)
• Improve error handling for malformed public keys and update test coverage (h/t @w0xlt)
• Explicitly clear intermediate hash variables when creating labels (h/t @w0xlt)
• Improve test coverage by explicitly testing more corner cases (h/t @real-or-random)
• Fix VERIFY typo (h/t @w0xlt)

In addition to what is explicitly mentioned above, I also slightly reworded a few comments and removed comments that I felt were simply restating what the code does without adding any extra information.

Thanks for the continued review @real-or-random . I think your suggestions for variable names and comments have improved the readability quite a bit. Also much happier with the prevout_summary naming and treating the prevout_summary object as a lazy evaluation.

Also, thanks @w0xlt for the thorough review! Much happier with the error handling and glad you caught the VERIFY typo.

@real-or-random

The only way around this that I see is that the intermediate results computed from the addresses

Working on an update to the BIP test vectors to include intermediate outputs. Once I have that pull request open, I'll update the test code here to remove the bech32m and ripemd160 python code.

Updated d7281b9 -> f3c0ad6 (2025_16 -> 2025_17, compare)

• s/prevout_summary/prevouts_summary/ - should have done this in the last push, apologies for the churn on this
• Updated tests to use the new structure introduced in BIP352: Add intermediate vector material for silent payments bitcoin/bips#1953 (h/t @macgyver13)
• Various spelling/comment cleanups (h/t @theStack , I promise I'll eventually learn how to spell recipient 😅 )

The main change in this push is being able to remove the ripemd160.py and bech32m.py files from the reference code! Thanks @macgyver13 for making these changes , both here and in the BIP repo!

Updated f3c0ad6 -> aa85bfb (2025_17 -> 2025_18, compare)

• Fix tests_silentpayments_generate.py to not skip test case (h/t @real-or-random )
• Refactor tests_silentpayments_generate.py to be more idiomatic python/more readable (h/t @real-or-random )
• Fix up tests_impl.h to handle extra test case (h/t @real-or-random)

Thanks for the fixup! branch for the test vectors, @real-or-random ! I added you as a coauthor.