silentpayments: add label tweak calculation routine

bitcoin-core · Feb 4, 2024 · f99af63 · f99af63
1 parent 4d04c4d
commit f99af63
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/include/secp256k1_silentpayments.h b/include/secp256k1_silentpayments.h
@@ -149,6 +149,26 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_receive_
     const unsigned char *receiver_scan_seckey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Create Silent Payment label tweak.
+ *
+ *  Given a recipient's scan private key b_scan and a label integer m, calculate
+ *  the corresponding label tweak:
+ *
+ *  label_tweak = hash(b_scan || m)
+ *
+ *  Returns: 1 if label tweak creation was successful. 0 if an error occured.
+ *  Args:                  ctx: pointer to a context object
+ *  Out:           label_tweak: pointer to the resulting label tweak
+ *   In:  receiver_scan_seckey: pointer to the receiver's scan private key
+ *                           m: label integer (0 is used for change outputs)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_label_tweak(
+    const secp256k1_context *ctx,
+    unsigned char *label_tweak32,
+    const unsigned char *receiver_scan_seckey,
+    unsigned int m
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
@@ -203,4 +203,39 @@ int secp256k1_silentpayments_receive_create_shared_secret(const secp256k1_contex
     return 1;
 }
 
+/** Set hash state to the BIP340 tagged hash midstate for "BIP0352/Label". */
+static void secp256k1_silentpayments_sha256_init_label(secp256k1_sha256* hash) {
+    secp256k1_sha256_initialize(hash);
+    hash->s[0] = 0x26b95d63ul;
+    hash->s[1] = 0x8bf1b740ul;
+    hash->s[2] = 0x10a5986ful;
+    hash->s[3] = 0x06a387a5ul;
+    hash->s[4] = 0x2d1c1c30ul;
+    hash->s[5] = 0xd035951aul;
+    hash->s[6] = 0x2d7f0f96ul;
+    hash->s[7] = 0x29e3e0dbul;
+
+    hash->bytes = 64;
+}
+
+int secp256k1_silentpayments_create_label_tweak(const secp256k1_context *ctx, unsigned char *label_tweak32, const unsigned char *receiver_scan_seckey, unsigned int m) {
+    secp256k1_sha256 hash;
+    unsigned char m_serialized[4];
+
+    /* Sanity check inputs. */
+    VERIFY_CHECK(ctx != NULL);
+    (void)ctx;
+    VERIFY_CHECK(label_tweak32 != NULL);
+    VERIFY_CHECK(receiver_scan_seckey != NULL);
+
+    /* Compute label_tweak = hash(ser_256(b_scan) || ser_32(m))  [sha256 with tag "BIP0352/Label"] */
+    secp256k1_silentpayments_sha256_init_label(&hash);
+    secp256k1_sha256_write(&hash, receiver_scan_seckey, 32);
+    secp256k1_write_be32(m_serialized, m);
+    secp256k1_sha256_write(&hash, m_serialized, sizeof(m_serialized));
+    secp256k1_sha256_finalize(&hash, label_tweak32);
+
+    return 1;
+}
+
 #endif