Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add silentpayments (BIP352) module #1471

Closed
wants to merge 13 commits into from
Closed

Add silentpayments (BIP352) module #1471

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
a9a5fe8
build: add skeleton for new silentpayments (BIP352) module
theStack Sep 27, 2023
6e3ed2d
doc: add module description for secp256k1-silentpayments
theStack Dec 23, 2023
81d1303
silentpayments: add private tweak data creation routine
theStack Dec 22, 2023
98f5ba4
silentpayments: add public tweak data creation routine
theStack Dec 18, 2023
842e5bf
silentpayments: add tweaked pubkey creation routine (for light client…
theStack Feb 16, 2024
b0e3796
silentpayments: add shared secret creation routine (a*B == A*b)
theStack Oct 5, 2023
2a00e12
silentpayments: add label tweak calculation routine
theStack Jan 22, 2024
dbcccbb
silentpayments: add routine for creating labelled spend pubkeys (for …
theStack Jan 23, 2024
8460be5
silentpayments: implement output pubkey creation (for sender)
theStack Sep 27, 2023
d6c9856
silentpayments: add routine for tx output scanning (for receiver)
theStack Feb 12, 2024
26bdb5f
silentpayments: implement output spending privkey creation (for recei…
theStack Dec 20, 2023
59488c4
tests: add BIP-352 test vectors
theStack Feb 22, 2024
e4ffa03
ci: enable silentpayments module
theStack Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,14 @@ option(SECP256K1_ENABLE_MODULE_RECOVERY "Enable ECDSA pubkey recovery module." O
option(SECP256K1_ENABLE_MODULE_EXTRAKEYS "Enable extrakeys module." ON)
option(SECP256K1_ENABLE_MODULE_SCHNORRSIG "Enable schnorrsig module." ON)
option(SECP256K1_ENABLE_MODULE_ELLSWIFT "Enable ElligatorSwift module." ON)
option(SECP256K1_ENABLE_MODULE_SILENTPAYMENTS "Enable Silent Payments module." OFF)

# Processing must be done in a topological sorting of the dependency graph
# (dependent module first).
if(SECP256K1_ENABLE_MODULE_SILENTPAYMENTS)
add_compile_definitions(ENABLE_MODULE_SILENTPAYMENTS=1)
endif()

if(SECP256K1_ENABLE_MODULE_ELLSWIFT)
add_compile_definitions(ENABLE_MODULE_ELLSWIFT=1)
endif()
Expand Down Expand Up @@ -292,6 +297,7 @@ message(" ECDSA pubkey recovery ............... ${SECP256K1_ENABLE_MODULE_RECOV
message(" extrakeys ........................... ${SECP256K1_ENABLE_MODULE_EXTRAKEYS}")
message(" schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNORRSIG}")
message(" ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}")
message(" Silent Payments ..................... ${SECP256K1_ENABLE_MODULE_SILENTPAYMENTS}")
message("Parameters:")
message(" ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}")
message(" ecmult gen precision bits ........... ${SECP256K1_ECMULT_GEN_PREC_BITS}")
Expand Down
4 changes: 4 additions & 0 deletions Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,3 +271,7 @@ endif
if ENABLE_MODULE_ELLSWIFT
include src/modules/ellswift/Makefile.am.include
endif

if ENABLE_MODULE_SILENTPAYMENTS
include src/modules/silentpayments/Makefile.am.include
endif
10 changes: 10 additions & 0 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,10 @@ AC_ARG_ENABLE(module_ellswift,
AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
[SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])

AC_ARG_ENABLE(module_silentpayments,
AS_HELP_STRING([--enable-module-silentpayments],[enable Silent Payments module [default=no]]), [],
[SECP_SET_DEFAULT([enable_module_silentpayments], [no], [yes])])

AC_ARG_ENABLE(external_default_callbacks,
AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]), [],
[SECP_SET_DEFAULT([enable_external_default_callbacks], [no], [no])])
Expand Down Expand Up @@ -389,6 +393,10 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS"

# Processing must be done in a reverse topological sorting of the dependency graph
# (dependent module first).
if test x"$enable_module_silentpayments" = x"yes"; then
SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SILENTPAYMENTS=1"
fi

if test x"$enable_module_ellswift" = x"yes"; then
SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ELLSWIFT=1"
fi
Expand Down Expand Up @@ -450,6 +458,7 @@ AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"ye
AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"yes"])
AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
AM_CONDITIONAL([ENABLE_MODULE_ELLSWIFT], [test x"$enable_module_ellswift" = x"yes"])
AM_CONDITIONAL([ENABLE_MODULE_SILENTPAYMENTS], [test x"$enable_module_silentpayments" = x"yes"])
AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
AM_CONDITIONAL([BUILD_WINDOWS], [test "$build_windows" = "yes"])
Expand All @@ -472,6 +481,7 @@ echo " module recovery = $enable_module_recovery"
echo " module extrakeys = $enable_module_extrakeys"
echo " module schnorrsig = $enable_module_schnorrsig"
echo " module ellswift = $enable_module_ellswift"
echo " module silentpayments = $enable_module_silentpayments"
echo
echo " asm = $set_asm"
echo " ecmult window size = $set_ecmult_window"
Expand Down
296 changes: 296 additions & 0 deletions include/secp256k1_silentpayments.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,296 @@
#ifndef SECP256K1_SILENTPAYMENTS_H
#define SECP256K1_SILENTPAYMENTS_H

#include "secp256k1.h"
#include "secp256k1_extrakeys.h"

#ifdef __cplusplus
extern "C" {
#endif

/* This module provides an implementation for the ECC related parts of
* Silent Payments, as specified in BIP352. This particularly involves
* the creation of input tweak data by summing up private or public keys
* and the derivation of a shared secret using Elliptic Curve Diffie-Hellman.
* Combined are either:
* - spender's private keys and receiver's public key (a * B, sender side)
* - spender's public keys and receiver's private key (A * b, receiver side)
* With this result, the necessary key material for ultimately creating/scanning
* or spending Silent Payment outputs can be determined.
*
* Note that this module is _not_ a full implementation of BIP352, as it
* inherently doesn't deal with higher-level concepts like addresses, output
* script types or transactions. The intent is to provide cryptographical
* helpers for low-level calculations that are most error-prone to custom
* implementations (e.g. enforcing the right y-parity for key material, ECDH
* calculation etc.). For any wallet software already using libsecp256k1, this
* API should provide all the functions needed for a Silent Payments
* implementation without the need for any further manual elliptic-curve
* operations.
*/

/** Create Silent Payment tweak data from input private keys.
*
* Given a list of n private keys a_1...a_n (one for each silent payment
* eligible input to spend) and a serialized outpoint_smallest, compute
* the corresponding input private keys tweak data:
*
* a_sum = a_1 + a_2 + ... + a_n
* input_hash = hash(outpoint_smallest || (a_sum * G))
*
* If necessary, the private keys are negated to enforce the right y-parity.
* For that reason, the private keys have to be passed in via two different parameter
* pairs, depending on whether they were used for creating taproot outputs or not.
* The resulting data is needed to create a shared secret for the sender side.
*
* Returns: 1 if shared secret creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: a_sum: pointer to the resulting 32-byte private key sum
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: add private tweak data creation routine" (81d1303):

Thinking about this more, is there a usecase where the sender might need a_sum and not need the shared secret? If not, seems like it would be better to have the API accept private keys as an input and return the final shared secret. Otherwise, callers need to be really careful with a_sum as it could be a single private key.

What about renaming this function to something like secp256k1_silentpayments_create_shared_secret_from_private_data and it returns unsigned char shared_secret33. This way, we can pass pointers to the privkey data and get back the shared secret without needing to worry about handling a potentially dangerous a_sum in between.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about this more, is there a usecase where the sender might need a_sum and not need the shared secret? If not, seems like it would be better to have the API accept private keys as an input and return the final shared secret. Otherwise, callers need to be really careful with a_sum as it could be a single private key.

The only a_sum/input_hash reuse scenario I could think of is one where the sender wants to create a transaction with more than one silent payments recipient (and with that, different scan pubkeys, i.e. the same recipient with different labels but same scan pubkey wouldn't count as "different" in that sense). Given that sending is an infrequent scenario and calculating a_sum and input_hash are comparably cheap operations, that's probably not a big deal though. The receiving/scanning part is potentially more of a problem, see comment below.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point. This could be a fairly common usecase (e.g. an exchange processing withdrawals to $n$ silent payment addresses), but it is still a bounded problem in that you can't send to more than $N$ silent payment addresses in a single transaction, where $N$ is the number of outputs you can fit in a single block.

I'm leaning toward making this so the caller doesn't need to handle intermediary secret data. The other option is we expose both routines in the API?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point. This could be a fairly common usecase (e.g. an exchange processing withdrawals to n silent payment addresses), but it is still a bounded problem in that you can't send to more than N silent payment addresses in a single transaction, where N is the number of outputs you can fit in a single block.

I'm leaning toward making this so the caller doesn't need to handle intermediary secret data. The other option is we expose both routines in the API?

Oops, I missed this comment last week. I agree that a secp256k1_silentpayments_create_shared_secret_from_private_data routine would be useful for the reasons you mentioned (i.e. avoid having to handle intermediate secret key data), will add one in a bit. I tend to think that exposing both routines still makes sense, in cases where performance for sending to multiple receivers is really a concern? Will keep the current one around for discussion, if it's not considered useful it can still be removed later.

* input_hash: pointer to the resulting 32-byte input hash
* In: plain_seckeys: pointer to an array of pointers to 32-byte private keys
* of non-taproot inputs (can be NULL if no private keys of
* non-taproot inputs are used)
* n_plain_seckeys: the number of sender's non-taproot input private keys
* taproot_seckeys: pointer to an array of pointers to 32-byte private keys
* of taproot inputs (can be NULL if no private keys of
* taproot inputs are used)
* n_taproot_seckeys: the number of sender's taproot input private keys
* outpoint_smallest36: serialized smallest outpoint
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_private_tweak_data(
const secp256k1_context *ctx,
unsigned char *a_sum,
unsigned char *input_hash,
const unsigned char * const *plain_seckeys,
size_t n_plain_seckeys,
const unsigned char * const *taproot_seckeys,
size_t n_taproot_seckeys,
const unsigned char *outpoint_smallest36
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(8);

/** Create Silent Payment tweak data from input public keys.
*
* Given a list of n public keys A_1...A_n (one for each silent payment
* eligible input to spend) and a serialized outpoint_smallest, compute
* the corresponding input public keys tweak data:
*
* A_sum = A_1 + A_2 + ... + A_n
* input_hash = hash(outpoint_lowest || A_sum)
*
* The public keys have to be passed in via two different parameter pairs,
* one for regular and one for x-only public keys, in order to avoid the need
* of users converting to a common pubkey format before calling this function.
* The resulting data is needed to create a shared secret for the receiver's side.
*
* Returns: 1 if tweak data creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: A_sum: pointer to the resulting public keys sum
* input_hash: pointer to the resulting 32-byte input hash
* In: plain_pubkeys: pointer to an array of pointers to non-taproot
* public keys (can be NULL if no non-taproot inputs are used)
* n_plain_pubkeys: the number of non-taproot input public keys
* xonly_pubkeys: pointer to an array of pointers to taproot x-only
* public keys (can be NULL if no taproot inputs are used)
* n_xonly_pubkeys: the number of taproot input public keys
* outpoint_smallest36: serialized smallest outpoint
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_public_tweak_data(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in 2290e80:

This function covers a very important use case: preparing public transaction input data so that it can be served to a light client (a light client in this scenario is any client that does not have access to the blockchain but does have access to their b_scan private key).

However, if used by a full node client, this function would cause the receiver to do two ECC multiplications:

  1. A_sum * input_hash_scalar
  2. (A_sum * input_hash_Scalar) * b_scan

In d725050 the sender only does one ECC multiplication by first doing the less expensive scalar multiplication of a_sum * input_hash_scalar.

What if we had a single function that is used by both the sender and receiver, e.g.silentpayments_create_shared_secret, which takes the input_hash_scalar as an input and a private key (can be b_scan or a_sum) as inputs along with a public key (can be A_sum or B_scan). This function would multiply the private key and scalar and then do the ECDH step. We would then need separate function for the light client receiver only which takes b_scan and A_tweaked and does the ECDH step.

Just brainstorming, open to other suggestions! Also might be prematurely optimizing but from what I understand ECC Multiplication is expensive, so keeping it to one for both sender and receiver seems worth it even at this stage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! I assumed that full node clients using silent payments would usually also be interested in the public tweak data to maintain a tweak index (like e.g. bitcoin/bitcoin#28241), both for the purpose of serving the data to light clients and for faster silent payment rescans, but didn't consider that this might not be the case for all full nodes.

What if we had a single function that is used by both the sender and receiver, e.g.silentpayments_create_shared_secret, which takes the input_hash_scalar as an input and a private key (can be b_scan or a_sum) as inputs along with a public key (can be A_sum or B_scan). This function would multiply the private key and scalar and then do the ECDH step. We would then need separate function for the light client receiver only which takes b_scan and A_tweaked and does the ECDH step.

Seems reasonable, though currently we don't expose input_hash_scalar, so we'd need extra routines to also calculate that. Have to think more about it, open for all suggestions. Glad that the interface discussion is unleashed!

Just brainstorming, open to other suggestions! Also might be prematurely optimizing but from what I understand ECC Multiplication is expensive, so keeping it to one for both sender and receiver seems worth it even at this stage.

Agree that we should avoid these extra multiplications if possible.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have to think more about it, open for all suggestions. Glad that the interface discussion is unleashed!

Yeah, what I suggested is pretty half baked! I'll also give this a more thorough think and share my thoughts. Happy to keep the discussion here (easier to reference things concretely), or we can move it to the linked issue if you prefer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have to think more about it, open for all suggestions. Glad that the interface discussion is unleashed!

Yeah, what I suggested is pretty half baked! I'll also give this a more thorough think and share my thoughts. Happy to keep the discussion here (easier to reference things concretely), or we can move it to the linked issue if you prefer.

No strong preference for issue or PR as discussion platform either, it's fine to keep it here for me as well!

I still haven't come up with something concrete yet, but am planning to study BIP327 and it's secp256k1 module PR (#1479), as it might give some ideas, both regarding interface and concrete implementation. Haven't looked deeper, but I see that a dedicated caching data type is introduced there to avoid recomputations, maybe something like that could be useful for a BIP352 interface too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One easy possibility to avoid the extra point multiplication on the receiver side for full node clients:

  • change _create_public_tweak_data to only calculate and return a tuple (A_sum, input_hash), without doing the multiplication. E.g. with a new struct data type:
typedef struct {
    secp256k1_pubkey pubkey_sum;
    unsigned char input_hash[32];
} secp256k1_silentpayments_pubkey_tweak_data;
  • change _receive_create_shared_secret to take an instance of this struct (instead of $A_{tweaked}$) accordingly, e.g.:
int secp256k1_silentpayments_receive_create_shared_secret(
    const secp256k1_context *ctx,
    unsigned char *shared_secret33,
    const secp256k1_silentpayments_pubkey_tweak_data *public_tweak_data,
    const unsigned char *receiver_scan_seckey
)

In that function, the shared secret would then be calculated via $SS = (b_{scan} * inputhash) * A_{sum}$

That would be a straightforward change. The only thing needed then for light clients (or nodes that want to create a silent payments tweak index) is an additional routine to calculate $A_{tweaked} = inputhash * A_{sum}$, given a _pubkey_tweak_data instance, and a possibility to calculate the shared secret from that $A_{tweaked}$. Should we have an extra shared secret creation routine for the receiver side that takes $A_{tweaked}$ (instead of the pubkey_tweak_data instance) and $b_{scan}$ (basically exactly what we have right now in the current PR state), or somehow abuse the pubkey_tweak_data structure to be also able to calculate and hold $A_{tweaked}$ already, e.g. with a flag (0=pubkey is sum, 1=pubkey is already tweaked with hash)?

Just some ideas and mostly thinking out loud, happy to receive further input.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change _create_public_tweak_data to only calculate and return a tuple (A_sum, input_hash)

This is how I did it in #28122 and this seemed to work well. This would also allow us to simplify things a bit and use a single routine for shared secret creation for both sender and receiver:

typedef struct {
    secp256k1_pubkey pubkey;
    unsigned char input_hash[32];
} secp256k1_silentpayments_pubkey_tweak_data;

int secp256k1_silentpayments_create_shared_secret(
    const secp256k1_context *ctx,
    unsigned char *shared_secret33,
    const secp256k1_silentpayments_pubkey_tweak_data *public_tweak_data,
    const unsigned char *seckey
)

where pubkey represents either the pubkey sum or the receivers scan public key and seckey represents either the senders secret key sum or the receivers scan private key. I think this would require modifying your _sender routines a bit, e.g. have the sender routine first sum the secret keys and then call the shared routine _silentpayments_create_shared_secret.

For the receiver, yes, I think we would need the two routines you mentioned:

  • one for creating $A_{tweaked}$ (i.e. $A_{tweaked} = inputhash * A_{sum}$)
  • one for creating a shared secret from $A_{tweaked}$ (i.e. $SS = b_{scan} * A_{tweaked}$)

These could also be the same routine since they are essentially doing the same thing ($d * P$) and both return unsigned char data[33], either to be written to an index/sent to light clients or hashed with $k$ to create an output. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how I did it in bitcoin/bitcoin#28122 and this seemed to work well. This would also allow us to simplify things a bit and use a single routine for shared secret creation for both sender and receiver:
...

Consolidating the API to a single shared secret creation function for both directions would be nice indeed. One drawback could be though that it is likely more confusing for the user and it's a bit easier to use it wrong; since the paramters can't be named exactly after what is expected anymore (e.g. receiver_scan_pubkey), they have to have more generic names (e.g. pubkey_part, privkey_part or sth alike), as it now depends on the direction. But that can (hopefully) be compensated by good API documentation? Not sure yet, but I think we should give it a try.

Even the shared secret creation for light clients (passing $A_{tweaked}$) case could be done by that same routine, by making one parameter optional (i.e. if input_hash is NULL, that signals that the tweak is already included in the passed pubkey). Another suggestions based on that, where the newly introduced struct from the previous comment doesn't exist anymore:

Tweak data creation:
  _create_private_tweak_data -> returns (a_sum, input_hash)
  _create_public_tweak_data  -> returns (A_sum, input_hash)

Shared secret creation:
  Sender:                  _create_shared_secret(..., ..., B_scan, a_sum, input_hash)
  Receiver (Full node):    _create_shared_secret(..., ..., A_sum, b_scan, input_hash)
  Receiver (Light client): _create_shared_secret(..., ..., A_tweaked, b_scan, NULL)

For the receiver, yes, I think we would need the two routines you mentioned:

  • one for creating Atweaked (i.e. Atweaked=inputhash∗Asum)
  • one for creating a shared secret from Atweaked (i.e. SS=bscan∗Atweaked)

These could also be the same routine since they are essentially doing the same thing (d∗P) and both return unsigned char data[33], either to be written to an index/sent to light clients or hashed with k to create an output. What do you think?

Those two calculations are different in the sense that the shared secret creation one does a full ECDH including the call of the ECDH hash function, while the other one is just a normal point multiplication (less critical, as there is no secret key material involved, IIUC). So I think a dedicated routine for creating A_tweaked from (input_hash, A_sum) is still needed. For that one, it probably makes sense to include the serialization to the 33-bytes already, as the user would need to do that for storing it in an index or sending it to the light client anyway.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One drawback could be though that it is likely more confusing for the user and it's a bit easier to use it wrong; since the paramters can't be named exactly after what is expected anymore

True, but as you said, I think we can address this with good documentation. Another for using the same routine for both sender and receiver is we ensure that sender and receiver will arrive at the same shared secret (provided they give correct inputs), since they are using the same routine. If we use separate routines, there is a small chance of introducing a bug in one of the routines that would cause the sender and receiver to arrive at different shared secrets despite giving the correct inputs.

Even the shared secret creation for light clients (passing ) case could be done by that same routine, by making one parameter optional (i.e. if input_hash is NULL, that signals that the tweak is already included in the passed pubkey)

Also not a bad idea! I'd say we can go with this for now and always revert to multiple routines if there are objections.

Those two calculations are different in the sense that the shared secret creation one does a full ECDH including the call of the ECDH hash function, while the other one is just a normal point multiplication

Good point, I forgot about that. I think the main difference here is that ECDH is done in constant time whereas point multiplication is not. Regardless, you're correct that these should remain separate routines and I agree we should just return the 33 byte serialized pubkey for the routine creating the light client/index data.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: add public tweak data creation routine" (98f5ba4):

Similarly (see previous comment), we could rename this function to something like _create_shared_secret_from_public_data where it takes all the arguments and returns unsigned char *shared_secret33. The advantages here are:

  1. We can avoid returning needing to convert ge -> secp256k1_pubkey -> ge (the caller also doesn't need to know anything about secp256k1_pubkey)
  2. Less confusing for full node sender and receiver since they now only need one function call each and don't need to worry about the ambiguity with _create_shared_secret's arguments

Copy link
Contributor Author

@theStack theStack Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: add public tweak data creation routine" (98f5ba4):

Similarly (see previous comment), we could rename this function to something like _create_shared_secret_from_public_data where it takes all the arguments and returns unsigned char *shared_secret33. The advantages here are:

  1. We can avoid returning needing to convert ge -> secp256k1_pubkey -> ge (the caller also doesn't need to know anything about secp256k1_pubkey)
  2. Less confusing for full node sender and receiver since they now only need one function call each and don't need to worry about the ambiguity with _create_shared_secret's arguments

Nice idea, I think that interface would indeed be easier for users. The drawback I see here is that if a wallet scans for multiple silent payments addresses (ones that differ in the scan pubkey part), it is more costly, as the intermediate results of A_sum/input_hash can't be reused. E.g. deriving the shared secrets when scanning for both B1_scan/B1_spend and B2_scan/B2_spend:

Current interface:
    A_sum, input_hash = _create_public_tweak_data(input_pubkeys, input_xonly_pubkeys, outpoint_smallest)
    SS1 = _create_shared_secret(A_sum, b1_scan, input_hash)
    SS2 = _create_shared_secret(A_sum, b2_scan, input_hash)
    -> A_sum and input_hash only calculated once

Proposed interface:
    SS1 = _create_shared_secret_from_public_data(inputs_plain, inputs_taproot, outpoint_smallest, b1_scan)
    SS2 = _create_shared_secret_from_public_data(inputs_plain, inputs_taproot, outpoint_smallest, b2_scan)
    -> A_sum and input_hash need to be calculated twice

Can we live with that? Would that be common or is it much more likely that the scan keypair is constant and a user would only work with labels on the same scan pubkey anyway? Not sure what the typical usecase would be here in the future, interested about your thoughts about that. Without having numbers, I could imagine that summing up pubkeys is insignifcant compared to the point multiplication in the ECDH step, but it's still a bit ugly that for scanning $n$ different addresses, the pubkey summing and input hashing has to be repeated $n$ times.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great point, scanning the same transaction for multiple receivers will be a likely use case, so probably better to keep it as is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also worth pointing out this is an unbounded problem (unlike the sending case): I could be scanning for 30M scan keys for a single transaction. In this case, we would want to avoid recalculating A_sum and the inputs_hash 30M times.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also worth pointing out this is an unbounded problem (unlike the sending case): I could be scanning for 30M scan keys for a single transaction. In this case, we would want to avoid recalculating A_sum and the inputs_hash 30M times.

True! Do you think it's worth it to still introduce a _create_shared_secret_from_public_data helper like you proposed for the simple-case (with a mentioning hint like "don't use this routine repeatedly when scanning for multiple scan keys"), in addition to the current one? I'm a bit torn between "both routines could give more flexibility" and "the API should stay small and clean". 🤔

const secp256k1_context *ctx,
secp256k1_pubkey *A_sum,
unsigned char *input_hash,
const secp256k1_pubkey * const *plain_pubkeys,
size_t n_plain_pubkeys,
const secp256k1_xonly_pubkey * const *xonly_pubkeys,
size_t n_xonly_pubkeys,
const unsigned char *outpoint_smallest36
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(8);

/** Create Silent Payment tweaked public key from public tweak data.
*
* Given public tweak data (public keys sum and input hash), calculate the
* corresponding tweaked public key:
*
* A_tweaked = input_hash * A_sum
*
* The resulting data is useful for light clients and silent payment indexes.
*
* Returns: 1 if tweaked public key creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: A_tweaked: pointer to the resulting tweaked public key
* In: A_sum: pointer to the public keys sum
* input_hash: pointer to the 32-byte input hash
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_tweaked_pubkey(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in " silentpayments: add tweaked pubkey creation routine (for light clients / sp index)" (842e5bf):

If we end up using the _create_shared_secret_from_public_data routine, we could also have this be _create_tweaked_pubkey_from_public_data where it takes all the same inputs as _create_shared_secret_from_public_data and returns unsigned char *A_tweaked33. This function would be used by anyone intending to store this data in an index or serve directly to a light client.

const secp256k1_context *ctx,
secp256k1_pubkey *A_tweaked,
const secp256k1_pubkey *A_sum,
const unsigned char *input_hash
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Create Silent Payment shared secret.
*
* Given a public component Pub, a private component sec and an input_hash,
* calculate the corresponding shared secret using ECDH:
*
* shared_secret = (sec * input_hash) * Pub
*
* What the components should be set to depends on the role of the caller.
* For the sender side, the public component is set the recipient's scan public key
* B_scan, and the private component is set to the input's private keys sum:
*
* shared_secret = (a_sum * input_hash) * B_scan [Sender]
*
* For the receiver side, the public component is set to the input's public keys sum,
* and the private component is set to the receiver's scan private key:
*
* shared_secret = (b_scan * input_hash) * A_sum [Receiver, Full node scenario]
*
* In the "light client" scenario for receivers, the public component is already
* tweaked with the input hash: A_tweaked = input_hash * A_sum
* In this case, the input_hash parameter should be set to NULL, to signal that
* no further tweaking should be done before the ECDH:
*
* shared_secret = b_scan * A_tweaked [Receiver, Light client scenario]
*
* The resulting shared secret is needed as input for creating silent payments
* outputs belonging to the same receiver scan public key.
*
* Returns: 1 if shared secret creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: shared_secret33: pointer to the resulting 33-byte shared secret
* In: public_component: pointer to the public component
* private_component: pointer to 32-byte private component
* input_hash: pointer to 32-byte input hash (can be NULL if the
* public component is already tweaked with the input hash)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_shared_secret(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: add shared secret creation routine (aB == Ab)" (b0e3796):

Building off the last couple suggestions, this function is now exclusively for light clients and there is no ambiguity about the arguments:

  • public_component is always A_tweaked
  • private_component is always b_scan

we can also drop the input_hash argument and change public_component to unsigned char *A_tweaked

const secp256k1_context *ctx,
unsigned char *shared_secret33,
const secp256k1_pubkey *public_component,
const unsigned char *secret_component,
const unsigned char *input_hash
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Create Silent Payment label tweak and label.
*
* Given a recipient's scan private key b_scan and a label integer m, calculate
* the corresponding label tweak and label:
*
* label_tweak = hash(b_scan || m)
* label = label_tweak * G
*
* Returns: 1 if label tweak and label creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: label_tweak: pointer to the resulting label tweak
* In: receiver_scan_seckey: pointer to the receiver's scan private key
* m: label integer (0 is used for change outputs)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_label_tweak(
const secp256k1_context *ctx,
secp256k1_pubkey *label,
theStack marked this conversation as resolved.
Show resolved Hide resolved
unsigned char *label_tweak32,
const unsigned char *receiver_scan_seckey,
unsigned int m
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Create Silent Payment labelled spend public key.
*
* Given a recipient's spend public key B_spend and a label, calculate
* the corresponding serialized labelled spend public key:
*
* B_m = B_spend + label
*
* The result is used by the receiver to create a Silent Payment address, consisting
* of the serialized and concatenated scan public key and (labelled) spend public key each.
*
* Returns: 1 if labelled spend public key creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: l_addr_spend_pubkey33: pointer to the resulting labelled spend public key
* In: receiver_spend_pubkey: pointer to the receiver's spend pubkey
* label: pointer to the the receiver's label
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_create_address_spend_pubkey(
const secp256k1_context *ctx,
unsigned char *l_addr_spend_pubkey33,
const secp256k1_pubkey *receiver_spend_pubkey,
const secp256k1_pubkey *label
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Create Silent Payment output public key (for sender).
*
* Given a shared_secret, a recipient's spend public key B_spend, and
* an output counter k, calculate the corresponding output public key:
*
* P_output_xonly = B_spend + hash(shared_secret || ser_32(k)) * G
*
* Returns: 1 if output creation was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: P_output_xonly: pointer to the resulting output x-only pubkey
* In: shared_secret33: shared secret, derived from either sender's
* or receiver's perspective with routines from above
Comment on lines +229 to +230
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only from the sender's perspective since only the sender calls this (as per the first sentence in the doc), right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed _sender_ from the name in my refactor branch since this function can be used by the sender when creating outputs and also by the receiver when scanning without access to the transaction outputs (e.g. light clients).

* receiver_spend_pubkey: pointer to the receiver's spend pubkey
* k: output counter (usually set to 0, should be increased for
* every additional output to the same recipient)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_sender_create_output_pubkey(
const secp256k1_context *ctx,
secp256k1_xonly_pubkey *P_output_xonly,
const unsigned char *shared_secret33,
const secp256k1_pubkey *receiver_spend_pubkey,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: implement output pubkey creation (for sender)" (8460be5):

I think the sender will always be getting the receiver spend key externally, so we could just have this be unsigned char *receiver_spend_pubkey and handle the conversion to secp256k1_pubkey for the caller.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in "silentpayments: implement output pubkey creation (for sender)" (8460be5):

I think the sender will always be getting the receiver spend key externally, so we could just have this be unsigned char *receiver_spend_pubkey and handle the conversion to secp256k1_pubkey for the caller.

SGTM, I'm all for minimizing necessary conversions at the caller-side. One slight drawback might be that the routine has now one more reason to fail (if the passed byte-string is not representing a valid public key), but I think that's acceptable.

unsigned int k
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

typedef struct {
secp256k1_pubkey label;
secp256k1_pubkey label_negated;
} secp256k1_silentpayments_label_data;

/** Scan for Silent Payment transaction output (for receiver).
*
* Given a shared_secret, a recipient's spend public key B_spend,
* an output counter k, and a scanned tx's output x-only public key tx_output,
* calculate the corresponding scanning data:
*
* t_k = hash(shared_secret || ser_32(k))
* P_output = B_spend + t_k * G [not returned]
Comment on lines +248 to +255
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the course of writing benchmarks, I just noticed that this scanning API is flawed from a performance perspective, as we currently recalculate $t_k$ and $P_{output}$ on every scanned output instead of only after the output counter $k$ is increased (that is, if a match was found). It seems that this routine should be split up into one calculating $P_{output}$ (only to be called once per $(B_{spend}, k)$ pair) and another one for calculating label candidates, given $P_{output}$ and $tx_{output}$ (to be called on each scanned output, if there's no match). So the direct_match boolean out-parameter would go away (it was a bit weird anyway), as the caller would do the comparison between $P_{output}$ and $tx_{output}$.

* if P_output == tx_output
* direct_match = 1
* else
* label1 = tx_output - P_output
* label2 = -tx_output - P_output
* direct_match = 0
*
* The resulting data is needed for the receiver to efficiently scan for labels
* in silent payments eligible outputs.
*
* Returns: 1 if output scanning was successful. 0 if an error occured.
* Args: ctx: pointer to a context object
* Out: direct_match: pointer to the resulting boolean indicating whether
* the calculated output pubkey matches the scanned one
* t_k: pointer to the resulting tweak t_k
* label_data: pointer to the resulting label structure, containing the
* two label candidates, only set if direct_match == 0
* (can be NULL if the data is not needed)
* In: shared_secret33: shared secret, derived from either sender's
* or receiver's perspective with routines from above
* receiver_spend_pubkey: pointer to the receiver's spend pubkey
* k: output counter (usually set to 0, should be increased for
* every additional output to the same recipient)
* tx_output: pointer to the scanned tx's output x-only public key
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_receiver_scan_output(
const secp256k1_context *ctx,
int *direct_match,
unsigned char *t_k,
secp256k1_silentpayments_label_data *label_data,
const unsigned char *shared_secret33,
const secp256k1_pubkey *receiver_spend_pubkey,
unsigned int k,
const secp256k1_xonly_pubkey *tx_output
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(8);

#ifdef __cplusplus
}
#endif

#endif /* SECP256K1_SILENTPAYMENTS_H */
2 changes: 2 additions & 0 deletions src/modules/silentpayments/Makefile.am.include
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
include_HEADERS += include/secp256k1_silentpayments.h
noinst_HEADERS += src/modules/silentpayments/main_impl.h
theStack marked this conversation as resolved.
Show resolved Hide resolved
Loading