add tests for creating and verifying proofs

- in examples/silentpayments.c
    - sender now generates outputs with proof and verifies the proof
    - proof can be serialised to bytes and sent to recipient
    - bytes can be parsed back to proof by recipient as well
    - recipient can verify proof
- in tests_recipients_helper, run_silentpayments_test_vector_send
    - along with output checks, generate DLEQ proofs and verify them

Author: stratospher

examples/silentpayments.c

@@ -18,6 +18,7 @@
 
 #define N_INPUTS  2
 #define N_OUTPUTS 3
+#define N_RECIPIENTS 2
 
 /* Static data for Bob and Carol's silent payment addresses */
 static unsigned char smallest_outpoint[36] = {
@@ -127,6 +128,7 @@ int main(void) {
     secp256k1_xonly_pubkey *tx_output_ptrs[N_OUTPUTS];
     int ret;
     size_t i;
+    unsigned char dleq_proof[N_RECIPIENTS][64];
 
     /* Before we can call actual API functions, we need to create a "context" */
     secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
@@ -229,18 +231,66 @@ int main(void) {
         for (i = 0; i < N_OUTPUTS; i++) {
             tx_output_ptrs[i] = &tx_outputs[i];
         }
-        ret = secp256k1_silentpayments_sender_create_outputs(ctx,
-            tx_output_ptrs,
-            recipient_ptrs, N_OUTPUTS,
-            smallest_outpoint,
-            sender_keypair_ptrs, N_INPUTS,
-            NULL, 0
-        );
-        if (!ret) {
-            printf("Something went wrong, try again with different inputs.\n");
-            return EXIT_FAILURE;
+
+        /* Sender can perform 1 of the following options:
+         * Option 1: generate outputs without DLEQ proofs
+            ret = secp256k1_silentpayments_sender_create_outputs(ctx,
+                tx_output_ptrs,
+                recipient_ptrs, N_OUTPUTS,
+                smallest_outpoint,
+                sender_keypair_ptrs, N_INPUTS,
+                NULL, 0
+            );
+            if (!ret) {
+                printf("Something went wrong, try again with different inputs.\n");
+                return EXIT_FAILURE;
+            }
+         */
+        {
+            /* Option 2: generate outputs with DLEQ proofs*/
+            secp256k1_silentpayments_prevouts_summary prevouts_summary;
+            size_t n_dleq_size;
+            secp256k1_silentpayments_dleq_data dleq_data[N_RECIPIENTS];
+            secp256k1_silentpayments_dleq_data *dleq_data_ptrs[N_RECIPIENTS];
+            for (i = 0; i < N_RECIPIENTS; i++) {
+                dleq_data_ptrs[i] = &dleq_data[i];
+            }
+            for (i = 0; i < N_INPUTS; i++) {
+                tx_input_ptrs[i] = &tx_inputs[i];
+            }
+            ret = secp256k1_silentpayments_recipient_prevouts_summary_create(ctx, &prevouts_summary, smallest_outpoint,
+                                                                        tx_input_ptrs, N_INPUTS, NULL, 0);
+            assert(ret);
+
+            ret = secp256k1_silentpayments_sender_create_outputs_with_proof(ctx,
+                tx_output_ptrs, dleq_data_ptrs, &n_dleq_size,
+                recipient_ptrs, N_OUTPUTS,
+                smallest_outpoint,
+                sender_keypair_ptrs, N_INPUTS,
+                NULL, 0
+            );
+            assert(n_dleq_size == N_RECIPIENTS);
+            assert(ret);
+            /* Ensure that outputs are generated correctly at the sender side by verifying the DLEQ proof */
+            for (i = 0; i < N_RECIPIENTS; i++) {
+                /* Serialized form of proof can be sent from 1 sender side device to another sender side device.
+                 * ex: hardware wallet (which can do ECDH + proof calculation) to wallet application. */
+                unsigned char ss_proof_index_bytes[33 + 64 + 4];
+                secp256k1_silentpayments_dleq_data data;
+                secp256k1_silentpayments_dleq_data_serialize(ss_proof_index_bytes, &dleq_data[i]);
+                /* Parse the serialized proof on the second device. (ex: wallet application) */
+                secp256k1_silentpayments_dleq_data_parse(&data, ss_proof_index_bytes);
+                /* Proof verification can be done on the second device. */
+                ret = secp256k1_silentpayments_verify_proof(ctx, data.shared_secret, data.proof,
+                                                            &recipients[data.index].scan_pubkey,
+                                                            &prevouts_summary);
+                assert(ret);
+                /* Store proof to send to different receivers (Bob, Carol) later. */
+                memcpy(dleq_proof[i], ss_proof_index_bytes + 33, 64);
+            }
         }
-        printf("Alice created the following outputs for Bob and Carol:\n");
+
+        printf("Alice created the following outputs for Bob and Carol: \n");
         for (i = 0; i < N_OUTPUTS; i++) {
             printf("    ");
             ret = secp256k1_xonly_pubkey_serialize(ctx,
@@ -481,6 +531,25 @@ int main(void) {
             } else {
                 printf("Bob did not find any outputs in this transaction.\n");
             }
+            {
+                /* Optionally, Bob can use DLEQ proof to prove ownership of his address without revealing private keys
+                 * DLEQ proof verification needs proof, input pubkey sum, Bob's scan pubkey and shared secret as inputs. */
+                unsigned char shared_secret[33];
+                secp256k1_pubkey scan_pubkey;
+                /* 1. Get Bob's scan pubkey */
+                ret = secp256k1_ec_pubkey_parse(ctx, &scan_pubkey, bob_address[0], 33);
+                assert(ret);
+                /* 2. Compute input pubkey sum */
+                ret = secp256k1_silentpayments_recipient_prevouts_summary_serialize(ctx, light_client_data33, &prevouts_summary);
+                assert(ret);
+                /* 3. Bob computes shared secret */
+                ret = secp256k1_silentpayments_recipient_create_shared_secret(ctx, shared_secret, bob_scan_key,
+                                                                              &prevouts_summary);
+                assert(ret);
+                /* 4. Use proof we obtained from Alice for verification */
+                ret &= secp256k1_silentpayments_verify_proof(ctx, shared_secret, dleq_proof[0], &scan_pubkey, &prevouts_summary);
+                assert(ret);
+            }
         }
         {
             /*** Scanning as a light client (Carol) ***
@@ -608,6 +677,18 @@ int main(void) {
             } else {
                 printf("Carol did not find any outputs in this transaction.\n");
             }
+            {
+                /* Optionally, Carol can use DLEQ proof to prove ownership of her address without revealing private keys
+                 * DLEQ proof verification needs proof, input pubkey sum, Carol's scan pubkey and shared secret as inputs. */
+                /* 1. Get Carol's scan pubkey */
+                secp256k1_pubkey scan_pubkey;
+                ret = secp256k1_ec_pubkey_parse(ctx, &scan_pubkey, carol_address[0], 33);
+                assert(ret);
+                /* 2. Input pubkey sum and shared secret already computed at this point, so verify_proof directly */
+                /* 3. Use proof we obtained from Alice for verification */
+                ret &= secp256k1_silentpayments_verify_proof(ctx, shared_secret, dleq_proof[1], &scan_pubkey, &prevouts_summary);
+                assert(ret);
+            }
         }
     }
 

src/modules/silentpayments/tests_impl.h

@@ -11,6 +11,7 @@
 #include "../../../src/modules/silentpayments/vectors.h"
 #include "../../../src/modules/silentpayments/dleq_vectors.h"
 #include "../../../include/secp256k1.h"
+#include <assert.h>
 
 /** Constants
  *
@@ -132,6 +133,9 @@ static void test_recipient_sort_helper(unsigned char (*sp_addresses[3])[2][33],
     const secp256k1_silentpayments_recipient *recipient_ptrs[3];
     secp256k1_xonly_pubkey generated_outputs[3];
     secp256k1_xonly_pubkey *generated_output_ptrs[3];
+    secp256k1_silentpayments_dleq_data dleq_data[2];
+    secp256k1_silentpayments_dleq_data *dleq_data_ptrs[2];
+    size_t n_dleq_size;
     unsigned char xonly_ser[32];
     size_t i;
     int ret;
@@ -143,15 +147,32 @@ static void test_recipient_sort_helper(unsigned char (*sp_addresses[3])[2][33],
         recipients[i].index = i;
         recipient_ptrs[i] = &recipients[i];
         generated_output_ptrs[i] = &generated_outputs[i];
+        if (i != 2){
+            dleq_data_ptrs[i] = &dleq_data[i];
+        }
     }
-    ret = secp256k1_silentpayments_sender_create_outputs(CTX,
-        generated_output_ptrs,
+    ret = secp256k1_silentpayments_sender_create_outputs_with_proof(CTX,
+        generated_output_ptrs, dleq_data_ptrs, &n_dleq_size,
         recipient_ptrs, 3,
         SMALLEST_OUTPOINT,
         NULL, 0,
         seckey_ptrs, 1
     );
     CHECK(ret == 1);
+    {
+        secp256k1_pubkey pk;
+        secp256k1_xonly_pubkey xonly_pk;
+        secp256k1_silentpayments_prevouts_summary prevouts_summary;
+        const secp256k1_xonly_pubkey *tx_input_ptr = &xonly_pk;
+        CHECK(secp256k1_ec_pubkey_create(CTX, &pk, seckey_ptrs[0]) == 1);
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk) == 1);
+        CHECK(secp256k1_silentpayments_recipient_prevouts_summary_create(CTX, &prevouts_summary, SMALLEST_OUTPOINT, &tx_input_ptr, 1, NULL, 0) == 1);
+        for (i = 0; i < 2; i++) {
+            CHECK(secp256k1_silentpayments_verify_proof(CTX, dleq_data_ptrs[i]->shared_secret, dleq_data_ptrs[i]->proof,
+                                                        &recipients[dleq_data_ptrs[i]->index].scan_pubkey,
+                                                        &prevouts_summary) == 1);
+        }
+    }
     for (i = 0; i < 3; i++) {
         secp256k1_xonly_pubkey_serialize(CTX, xonly_ser, &generated_outputs[i]);
         CHECK(secp256k1_memcmp_var(xonly_ser, (*sp_outputs[i]), 32) == 0);
@@ -505,9 +526,17 @@ void run_silentpayments_test_vector_send(const struct bip352_test_vector *test)
     secp256k1_keypair taproot_keypairs[MAX_INPUTS_PER_TEST_CASE];
     secp256k1_keypair const *taproot_keypair_ptrs[MAX_INPUTS_PER_TEST_CASE];
     unsigned char const *plain_seckeys[MAX_INPUTS_PER_TEST_CASE];
+    secp256k1_pubkey plain_pubkeys[MAX_INPUTS_PER_TEST_CASE];
+    const secp256k1_pubkey *plain_pubkey_ptrs[MAX_INPUTS_PER_TEST_CASE];
+    secp256k1_xonly_pubkey xonly_pubkeys[MAX_INPUTS_PER_TEST_CASE];
+    const secp256k1_xonly_pubkey *xonly_pubkey_ptrs[MAX_INPUTS_PER_TEST_CASE];
+    secp256k1_silentpayments_dleq_data dleq_data[MAX_OUTPUTS_PER_TEST_CASE];
+    secp256k1_silentpayments_dleq_data *dleq_data_ptrs[MAX_OUTPUTS_PER_TEST_CASE];
     unsigned char created_output[32];
     size_t i, j, k;
     int match, ret;
+    size_t n_dleq_size;
+    secp256k1_silentpayments_prevouts_summary prevouts_summary;
 
     /* Check that sender creates expected outputs */
     for (i = 0; i < test->num_outputs; i++) {
@@ -516,19 +545,24 @@ void run_silentpayments_test_vector_send(const struct bip352_test_vector *test)
         recipients[i].index = i;
         recipient_ptrs[i] = &recipients[i];
         generated_output_ptrs[i] = &generated_outputs[i];
+        dleq_data_ptrs[i] = &dleq_data[i];
     }
     for (i = 0; i < test->num_plain_inputs; i++) {
         plain_seckeys[i] = test->plain_seckeys[i];
+        CHECK(secp256k1_ec_pubkey_create(CTX, &plain_pubkeys[i], plain_seckeys[i]) == 1);
+        plain_pubkey_ptrs[i] = &plain_pubkeys[i];
     }
     for (i = 0; i < test->num_taproot_inputs; i++) {
         CHECK(secp256k1_keypair_create(CTX, &taproot_keypairs[i], test->taproot_seckeys[i]));
         taproot_keypair_ptrs[i] = &taproot_keypairs[i];
+        CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pubkeys[i], NULL, &taproot_keypairs[i]) == 1);
+        xonly_pubkey_ptrs[i] = &xonly_pubkeys[i];
     }
     {
         int32_t ecount = 0;
         secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount);
-        ret = secp256k1_silentpayments_sender_create_outputs(CTX,
-            generated_output_ptrs,
+        ret = secp256k1_silentpayments_sender_create_outputs_with_proof(CTX,
+            generated_output_ptrs, dleq_data_ptrs, &n_dleq_size,
             recipient_ptrs,
             test->num_outputs,
             test->outpoint_smallest,
@@ -566,6 +600,16 @@ void run_silentpayments_test_vector_send(const struct bip352_test_vector *test)
         }
     }
     CHECK(match);
+
+    /* Verify generated DLEQ proofs*/
+    CHECK(secp256k1_silentpayments_recipient_prevouts_summary_create(CTX, &prevouts_summary, test->outpoint_smallest,
+                                                                test->num_taproot_inputs > 0 ? xonly_pubkey_ptrs : NULL, test->num_taproot_inputs,
+                                                                test->num_plain_inputs > 0 ? plain_pubkey_ptrs : NULL, test->num_plain_inputs) == 1);
+    for (i = 0; i < n_dleq_size; i++) {
+        CHECK(secp256k1_silentpayments_verify_proof(CTX, dleq_data_ptrs[i]->shared_secret, dleq_data_ptrs[i]->proof,
+                                                    &recipients[dleq_data_ptrs[i]->index].scan_pubkey,
+                                                    &prevouts_summary) == 1);
+    }
 }
 
 void run_silentpayments_test_vector_receive(const struct bip352_test_vector *test) {