Add "silentpayments" module implementing BIP352 (take 4, limited to full-node scanning) #1765
Conversation
|
Added the optimized version on top of this PR: For more context: |
|
Small supplementary update: I've created a corresponding Python implementation of the provided API functions based on secp256k1lab (https://github.com/theStack/secp256k1lab/blob/add_bip352_module_review_helper/src/secp256k1lab/bip352.py) (also linked in the PR description). The hope is that this makes reviewing this PR a bit easier by having a less noisy, "executable pseudo-code"-like description on what happens under the hood. The code passes the BIP352 test vectors and hence should be correct.
Thanks for rebasing on top of this PR, much appreciated! I will take a closer look within the next days. |
w0xlt
left a comment
w0xlt
left a comment
There was a problem hiding this comment.
Nit: Not related to optimization, but the diff below removes some redundant public-key serialization code:
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
index 106da20..922433d 100644
--- a/src/modules/silentpayments/main_impl.h
+++ b/src/modules/silentpayments/main_impl.h
@@ -21,6 +21,19 @@
/** magic bytes for ensuring prevouts_summary objects were initialized correctly. */
static const unsigned char secp256k1_silentpayments_prevouts_summary_magic[4] = { 0xa7, 0x1c, 0xd3, 0x5e };
+/* Serialize a ge to compressed 33 bytes. Keeps eckey_pubkey_serialize usage uniform
+ * (expects non-const ge*), and centralizes the VERIFY_CHECK. */
+static SECP256K1_INLINE void secp256k1_sp_ge_serialize33(const secp256k1_ge* in, unsigned char out33[33]) {
+ size_t len = 33;
+ secp256k1_ge tmp = *in;
+ int ok = secp256k1_eckey_pubkey_serialize(&tmp, out33, &len, 1);
+#ifdef VERIFY
+ VERIFY_CHECK(ok && len == 33);
+#else
+ (void)ok;
+#endif
+}
+
/** Sort an array of silent payment recipients. This is used to group recipients by scan pubkey to
* ensure the correct values of k are used when creating multiple outputs for a recipient.
*
@@ -68,13 +81,11 @@ static int secp256k1_silentpayments_calculate_input_hash_scalar(secp256k1_scalar
secp256k1_sha256 hash;
unsigned char pubkey_sum_ser[33];
unsigned char input_hash[32];
- size_t len;
int ret, overflow;
secp256k1_silentpayments_sha256_init_inputs(&hash);
secp256k1_sha256_write(&hash, outpoint_smallest36, 36);
- ret = secp256k1_eckey_pubkey_serialize(pubkey_sum, pubkey_sum_ser, &len, 1);
- VERIFY_CHECK(ret && len == sizeof(pubkey_sum_ser));
+ secp256k1_sp_ge_serialize33(pubkey_sum, pubkey_sum_ser);
secp256k1_sha256_write(&hash, pubkey_sum_ser, sizeof(pubkey_sum_ser));
secp256k1_sha256_finalize(&hash, input_hash);
/* Convert input_hash to a scalar.
@@ -85,15 +96,13 @@ static int secp256k1_silentpayments_calculate_input_hash_scalar(secp256k1_scalar
* an error to ensure strict compliance with BIP0352.
*/
secp256k1_scalar_set_b32(input_hash_scalar, input_hash, &overflow);
- ret &= !secp256k1_scalar_is_zero(input_hash_scalar);
+ ret = !secp256k1_scalar_is_zero(input_hash_scalar);
return ret & !overflow;
}
static void secp256k1_silentpayments_create_shared_secret(const secp256k1_context *ctx, unsigned char *shared_secret33, const secp256k1_ge *public_component, const secp256k1_scalar *secret_component) {
secp256k1_gej ss_j;
secp256k1_ge ss;
- size_t len;
- int ret;
secp256k1_ecmult_const(&ss_j, public_component, secret_component);
secp256k1_ge_set_gej(&ss, &ss_j);
@@ -103,12 +112,7 @@ static void secp256k1_silentpayments_create_shared_secret(const secp256k1_contex
* impossible at this point considering we have already validated the public key and
* the secret key.
*/
- ret = secp256k1_eckey_pubkey_serialize(&ss, shared_secret33, &len, 1);
-#ifdef VERIFY
- VERIFY_CHECK(ret && len == 33);
-#else
- (void)ret;
-#endif
+ secp256k1_sp_ge_serialize33(&ss, shared_secret33);
/* Leaking these values would break indistinguishability of the transaction, so clear them. */
secp256k1_ge_clear(&ss);
@@ -585,7 +589,6 @@ int secp256k1_silentpayments_recipient_scan_outputs(
secp256k1_ge output_negated_ge, tx_output_ge;
secp256k1_gej tx_output_gej, label_gej;
unsigned char label33[33];
- size_t len;
secp256k1_xonly_pubkey_load(ctx, &tx_output_ge, tx_outputs[j]);
secp256k1_gej_set_ge(&tx_output_gej, &tx_output_ge);
@@ -595,7 +598,6 @@ int secp256k1_silentpayments_recipient_scan_outputs(
secp256k1_ge_neg(&output_negated_ge, &output_ge);
secp256k1_gej_add_ge_var(&label_gej, &tx_output_gej, &output_negated_ge, NULL);
secp256k1_ge_set_gej_var(&label_ge, &label_gej);
- ret = secp256k1_eckey_pubkey_serialize(&label_ge, label33, &len, 1);
/* Serialize must succeed because the point was just loaded.
*
* Note: serialize will also fail if label_ge is the point at infinity, but we know
@@ -603,7 +605,7 @@ int secp256k1_silentpayments_recipient_scan_outputs(
* Thus, we know that label_ge = tx_output_gej + output_negated_ge cannot be the
* point at infinity.
*/
- VERIFY_CHECK(ret && len == 33);
+ secp256k1_sp_ge_serialize33(&label_ge, label33);
label_tweak = label_lookup(label33, label_context);
if (label_tweak != NULL) {
found = 1;
@@ -617,7 +619,6 @@ int secp256k1_silentpayments_recipient_scan_outputs(
secp256k1_gej_neg(&label_gej, &tx_output_gej);
secp256k1_gej_add_ge_var(&label_gej, &label_gej, &output_negated_ge, NULL);
secp256k1_ge_set_gej_var(&label_ge, &label_gej);
- ret = secp256k1_eckey_pubkey_serialize(&label_ge, label33, &len, 1);
/* Serialize must succeed because the point was just loaded.
*
* Note: serialize will also fail if label_ge is the point at infinity, but we know
@@ -625,7 +626,7 @@ int secp256k1_silentpayments_recipient_scan_outputs(
* Thus, we know that label_ge = tx_output_gej + output_negated_ge cannot be the
* point at infinity.
*/
- VERIFY_CHECK(ret && len == 33);
+ secp256k1_sp_ge_serialize33(&label_ge, label33);
label_tweak = label_lookup(label33, label_context);
if (label_tweak != NULL) {
found = 1;
w0xlt
left a comment
w0xlt
left a comment
There was a problem hiding this comment.
nit: The following diff removes the implicit cast and clarifies that k is 4 bytes
diff --git a/src/modules/silentpayments/main_impl.h b/src/modules/silentpayments/main_impl.h
index 922433d..d94aed6 100644
--- a/src/modules/silentpayments/main_impl.h
+++ b/src/modules/silentpayments/main_impl.h
@@ -512,7 +512,8 @@ int secp256k1_silentpayments_recipient_scan_outputs(
secp256k1_xonly_pubkey output_xonly;
unsigned char shared_secret[33];
const unsigned char *label_tweak = NULL;
- size_t j, k, found_idx;
+ size_t j, found_idx;
+ uint32_t k;
int found, combined, valid_scan_key, ret;
/* Sanity check inputs */
jonasnick
left a comment
jonasnick
left a comment
There was a problem hiding this comment.
Thanks @theStack for the new PR. I can confirm that this PR is a rebased version of #1698, with the light client functionality removed and comments addressed, except for:
- #1698 (comment)
- #1698 (comment)
- #1698 (review) (only the last one, "elemement")
Is there a reason for serializing prevouts_summary without light client functionality? If not, I think the don't do this comment is sufficient. Right now, in contrast to the docs of all other opaque objects, this is missing, however:
|
Add a routine for the entire sending flow which takes a set of private keys,
the smallest outpoint, and list of recipients and returns a list of
x-only public keys by performing the following steps:
1. Sum up the private keys
2. Calculate the input_hash
3. For each recipient group:
3a. Calculate a shared secret
3b. Create the requested number of outputs
This function assumes a single sender context in that it requires the
sender to have access to all of the private keys. In the future, this
API may be expanded to allow for a multiple senders or for a single
sender who does not have access to all private keys at any given time,
but for now these modes are considered out of scope / unsafe.
Internal to the library, add:
1. A function for creating shared secrets (i.e., a*B or b*A)
2. A function for generating the "SharedSecret" tagged hash
3. A function for creating a single output public key
theStack
force-pushed
the
silentpayments_module_fullnode_only
branch
from
c11d30c to
445f2e8
Compare
|
@w0xlt, @jonasnick: Thanks for the reviews! I've addressed the suggested changes:
Given that this compressed-pubkey-serialization pattern shows up repeatedly also in other modules (ellswift, musig), I think it would make the most sense to add a general helper (e.g. in eckey{,_impl}.h), which could be done in an independent PR. I've opened issue #1773 to see if there is conceptual support for doing this.
Good point, I can't think of a good reason for full nodes wanting to serialize prevouts_summary. |
Add function for creating a label tweak. This requires a tagged hash function for labels. This function is used by the receiver for creating labels to be used for a) creating labeled addresses and b) to populate a labels cache when scanning. Add function for creating a labeled spend pubkey. This involves taking a label tweak, turning it into a public key and adding it to the spend public key. This function is used by the receiver to create a labeled silent payment address. Add tests for the label API.
Add routine for scanning a transaction and returning the necessary spending data for any found outputs. This function works with labels via a lookup callback and requires access to the transaction outputs. Requiring access to the transaction outputs is not suitable for light clients, but light client support is enabled in the next commit. Add an opaque data type for passing around the prevout public key sum and the input hash tweak (input_hash). This data is passed to the scanner before the ECDH step as two separate elements so that the scanner can multiply the scan_key * input_hash before doing ECDH. Finally, add test coverage for the receiving API.
Demonstrate sending and scanning on full nodes.
Add a benchmark for a full transaction scan. Only benchmarks for scanning are added as this is the most performance critical portion of the protocol. Co-authored-by: Sebastian Falbesoner <[email protected]>
Add the BIP-352 test vectors. The vectors are generated with a Python script that converts the .json file from the BIP to C code: $ ./tools/tests_silentpayments_generate.py test_vectors.json > ./src/modules/silentpayments/vectors.h Co-authored-by: Ron <[email protected]> Co-authored-by: Sebastian Falbesoner <[email protected]> Co-authored-by: Tim Ruffing <[email protected]>
Co-authored-by: Jonas Nick <[email protected]> Co-authored-by: Sebastian Falbesoner <[email protected]>
Test midstate tags used in silent payments.
theStack
force-pushed
the
silentpayments_module_fullnode_only
branch
from
445f2e8 to
9103229
Compare
|
To address the open questions, I’ve reviewed the proposed changes by @w0xlt on 8d16914. I'm going to focus more on the key aspects I extracted from the review and the merits of each change, rather on the big O improvement claims, because I didn't get that far. These are multiple different changes rather than a single one, so to make the review easier I suggest to brake it in multiple commits. I would state on each of them the purpose and the real case scenario where the change would be relevant. Also, I would use clearer names for the variables or at least document their purpose. The changes I've identified so far are the following:
In general I agree with @jonasnick that we should define a clear target to benchmark and improve. As I've said before, the base case should be a wallet with a single label for change. In conclusion, from the proposed commit and the discussion around it, the only changes I've found clear enough to consider are:
|
|
Thanks @nymius for reviewing the changes, addressing the main points, and proposing a simplification. I’m currently splitting the optimization commit into smaller pieces to make it easier to review. The only part of the discussion that still feels a bit ambiguous is the “base” or “usual” case. So the goal of this optimization would be to mitigate that scenario, not the collaborative one. |
|
I ran the Without the Answering the questions: The optimized receiver implementation relies on a heuristic (the
|
6 participants
Description
This PR implements BIP352 with scanning limited to full-nodes. Light-client scanning is planned to be added in a separate PR in the future. The following 5 API functions are currently introduced:
Sender side [BIP description]:
secp256k1_silentpayments_sender_create_outputs: given a list ofReceiver side, label creation [BIP description]:
secp256k1_recipient_create_label: given a scan secret key and label integer, calculate the corresponding label_tweak and label public keysecp256k1_recipient_create_labeled_spend_pubkey: given a spend public key and a label public key, create the corresponding labeled spend public keyReceiver side, scanning [BIP description]:
secp256k1_recipient_prevouts_summary_create: given a list ofprevouts_summaryobject needed for scanningsecp256k1_recipient_scan_outputs: given aprevouts_summaryobject, a recipients scan secret key and spend public key, and the relevant transaction outputs (x-only public keys), scan for outputs belonging to the recipients and and return the tweak(s) needed for spending the output(s). Optionally, a label_lookup callback function can be provided to also scan for labels.For a higher-level overview on what these functions exactly do, it's suggested to look at a corresponding Python implementation that was created based on the secp256k1lab project (it passes the test vectors, so this "executable pseudo-code" should be correct).
Changes to the previous take
Based on the latest state of the previous PR #1698 (take 3), the following changes have been made:
_prevout_summary_{parse,serialize},__recipient_create_output_pubkeys), adapted tests and benchmark accordinglyThe scope reduction isn't immediately visible in commit count (only one commit was only introducing light-client relevant functionality and could be completely removed), but the review burden compared #1698 is still significantly lower in terms of LOC, especially in the receiving commit.
Open questions / TODOs
prevouts_summary(de)serialization functionality yet in the API poses the risk that users try to do it anyway by treating the opaque object as "serialized". How to cope with that? Is adding a "don't do this" comment in API header sufficient?