Silent Payments: Implement bip352 (take 2) #35301

in 6355a904945d0d5704032e464f20a69a5d82a91b: Since #34225 (commit f36d89f4363a25f7948a0f7096201ef8e15045d8), the sign context can be accessed via GetSecp256k1SignContext, i.e. by using this in the API calls below, this line and the symbol visibility change in key.cpp are not needed anymore

Done.

in 6355a904945d0d5704032e464f20a69a5d82a91b: typo: s/uint156/uint256/

Done.

in 6355a904945d0d5704032e464f20a69a5d82a91b: nit: missing doxygen @param entry for prevouts_summary above

Done.

in 6355a904945d0d5704032e464f20a69a5d82a91b:

        ret &= secp256k1_ec_pubkey_parse(secp256k1_context_static, &recipient_obj.spend_pubkey, recipients[i].m_spend_pubkey.data(), recipients[i].m_spend_pubkey.size());

to ensure both pubkey_parse are successful (or alternatively, could place an extra assert(ret) line after the first call)

I added an assert(ret); after the first call, so that it is easier to determine which of the pubkeys is invalid, in the event of a crash.

in 6355a904945d0d5704032e464f20a69a5d82a91b: IIUC, this call could fail if a transaction is scanned where one of the P2TR outputs encodes an invalid x-only pubkey (i.e. not on the curve), so I suppose this should be changed to e.g. if (!ret) continue; to avoid a crash (unless we demand from the caller that tx_outputs only contain valid x-only pubkeys already)

Changed to if (!ret) continue;

in 6355a904945d0d5704032e464f20a69a5d82a91b: comment doesn't apply

Done.

in ba4b734ec89d590951574d2714867afab27d1347: nit: could add a corresponding new entry to the comment list a few lines above

Done.

in ba4b734ec89d590951574d2714867afab27d1347: pedantic nit: according to BIP-352 the limit is 1023 (not sure which of the two values make more sense, as I'm not very familiar with BIP-173; for SPV0 it doesn't matter anyways)

Changed to 1023 to match the BIP specification. AFAICT, there is no reason to use 1024; the most likely reason for it being 1024 is that the BIP might have stated 1024 and was updated to 1023 at some point in the past.

in 602835e08070cab981842ce4cd5065730b3e8c48 (and 6b71f145ccfdbfe41f7f666d373efb0a68e30375 ff.): nitty nit: personally, I would slightly prefer to use the plural form in the code base since it's the widely used protocol name

    const std::string& SilentPaymentsHRP() const { return silent_payments_hrp; }

Done. I also pluralised the name in other function names, variable names and comments.

in 6b71f145ccfdbfe41f7f666d373efb0a68e30375: Related to a recent off-band discussion we had, I wonder if we should check the validity of the pubkeys (i.e. following the compressed pubkey format and being on the curve) already at this point, e.g. via

            if (!scan_pukey.IsFullyValid() || !spend_pubkey.IsFullyValid()) return CNoDestination();

We don't do the same when decoding taproot addresses (currently the only other address format that directly encodes public keys, without hashing), but the difference with SP here is that an actual output script can't even be derived in this case, so it could make more sense to reject as early as possible.

Done.

in aca8a8f3da02b925f8975ffa6f31468fafdc2ef9: looks like test vectors .json file needs to be updated (to BIP-352 version 1.1.1, see latest change https://github.com/bitcoin/bips/pull/2142).

Updated to the test_vectors in https://github.com/bitcoin/bips/pull/2142

in 0287192f099299fb7a0b7f83f5e3bfb3174ed152: unless I'm missing something, there is nothing wrong in checking that the witness stack is non-empty before accessing it, and the TODO could simply be removed

Removed.

in 6b71f145ccfdbfe41f7f666d373efb0a68e30375: pedantic nit: the version byte is not part of the ConvertBits input, i.e. this should be

        // ConvertBits will expand each 8-bit byte into 5-bit chunks,
        // i.e. 1 + (66 * 8 / 5) = 106.6 -> so we reserve 107
        data_out.reserve(107);

(verified that data_out has indeed a size of 107 by adding debug outputs)

Updated.

in aca8a8f3da02b925f8975ffa6f31468fafdc2ef9: could do a round-trip test in the if body, to also add test coverage for encoding SP addresses, e.g.

       auto encoded_sp_addr = EncodeDestination(*sp);
       BOOST_CHECK(encoded_sp_addr == silent_payment_addresses[i].get_str());

I added some tests for Encoding and Decoding V0SilentPaymentsDestination to key_io_tests.cpp in https://github.com/bitcoin/bitcoin/pull/35301/commits/15a2bdd5a18ac6d543b669f9230ea5bd7352c497

in aca8a8f3da02b925f8975ffa6f31468fafdc2ef9: this function is currently unused

Removed.

in 5b0d46e13980f227908186dfdd529d030ff7400a: I suppose using std::unordered_map for the labels cache would be the better choice for performance reasons, at least if we ever support a large number of labels (it doesn't matter until actual SP receiving support is implemented though, and can be re-evaluated and benchmarked then)

Changed to std::unordered_map, but that required that I change the labels cache from map<CPubKey, uint256> to unordered_map<CKeyID, uint256, SaltedSipHasher> because CPubKey doesn't have a hash function suitable for use with unordered_map.

in 5b0d46e13980f227908186dfdd529d030ff7400a: could assert(ret) here as well, as this serialization should never fail

Done.

in 5b0d46e13980f227908186dfdd529d030ff7400a: this change isn't needed anymore, since you are using the GetSecp256k1SignContext() access function now

Done.

in 7df966bc37fe640660ff8a9cd55a9fd5331527dc: consistency micro-nit: in other destination classes, the private: part comes before the public one, so could move this up

Done.

in 7df966bc37fe640660ff8a9cd55a9fd5331527dc: nit: I think this could be simplified to a one-liner

        return (a.m_scan_pubkey == b.m_scan_pubkey) && (a.m_spend_pubkey == b.m_spend_pubkey);

without changing the logic or performance (didn't verify though).

Done.

in 061edd8f427674914d98a22e118122fd8dd0a0c8: currently, SP addresses with (not yet specified) versions 1-30 are already accepted and get shoehorned into V0SilentPaymentsDestinations. Is that intentional? I guess it's not and it's fine to only allow V0 destinations for now, but if yes, we should probably add tests for v1-v30 addresses; might be a bit tricky though as the encoding round-trip tests would obviously fail.

I added a new struct, called UnknownSilentPaymentsVersion, to handle versions 1 to 30. I added some valid and invalid addresses with a version greater than zero.

GenerateSilentPaymentsTaprootDestinations() documents sp_dests keys as final tx.vout positions, but returns generated outputs under contiguous indexes 0..n-1.

If SP outputs are mixed with regular outputs, callers would assign them to the wrong positions; the original map keys should be preserved.

Diff:

diff --git a/src/common/bip352.cpp b/src/common/bip352.cpp
index 1580e1f8f8..0ac71d456f 100644
--- a/src/common/bip352.cpp
+++ b/src/common/bip352.cpp
@@ -234,8 +234,11 @@ std::optional<std::map<size_t, WitnessV1Taproot>> GenerateSilentPaymentsTaprootD
     bool ret;
     std::map<size_t, WitnessV1Taproot> tr_dests;
     std::vector<V0SilentPaymentsDestination> recipients;
+    std::vector<size_t> positions;
     recipients.reserve(sp_dests.size());
-    for (const auto& [_, addr] : sp_dests) {
+    positions.reserve(sp_dests.size());
+    for (const auto& [pos, addr] : sp_dests) {
+        positions.push_back(pos);
         recipients.push_back(addr);
     }
     std::vector<secp256k1_xonly_pubkey> outputs = CreateOutputs(recipients, plain_keys, taproot_keys, smallest_outpoint);
@@ -245,7 +248,7 @@ std::optional<std::map<size_t, WitnessV1Taproot>> GenerateSilentPaymentsTaprootD
         unsigned char xonly_pubkey_bytes[32];
         ret = secp256k1_xonly_pubkey_serialize(secp256k1_context_static, xonly_pubkey_bytes, &outputs[i]);
         assert(ret);
-        tr_dests[i] = WitnessV1Taproot{XOnlyPubKey{xonly_pubkey_bytes}};
+        tr_dests[positions[i]] = WitnessV1Taproot{XOnlyPubKey{xonly_pubkey_bytes}};
     }
     return tr_dests;
 }

Test:

diff --git a/src/test/bip352_tests.cpp b/src/test/bip352_tests.cpp
index cd5fda38da..bc05fcf107 100644
--- a/src/test/bip352_tests.cpp
+++ b/src/test/bip352_tests.cpp
@@ -27,6 +27,25 @@ CKey ParseHexToCKey(std::string hex) {
     return output;
 };
 
+BOOST_AUTO_TEST_CASE(bip352_preserves_requested_output_indexes)
+{
+    CKey sender_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000001");
+    CKey scan_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000002");
+    CKey spend_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000003");
+    V0SilentPaymentsDestination sp_dest{scan_key.GetPubKey(), spend_key.GetPubKey()};
+    std::map<size_t, V0SilentPaymentsDestination> sp_dests{{2, sp_dest}, {5, sp_dest}};
+    COutPoint smallest_outpoint{Txid::FromHex("0000000000000000000000000000000000000000000000000000000000000001").value(), 0};
+
+    auto generated = bip352::GenerateSilentPaymentsTaprootDestinations(sp_dests, {sender_key}, {}, smallest_outpoint);
+
+    BOOST_REQUIRE(generated.has_value());
+    BOOST_CHECK_EQUAL(generated->size(), sp_dests.size());
+    BOOST_CHECK_EQUAL(generated->count(0), 0);
+    BOOST_CHECK_EQUAL(generated->count(1), 0);
+    BOOST_CHECK_EQUAL(generated->count(2), 1);
+    BOOST_CHECK_EQUAL(generated->count(5), 1);
+}
+
 BOOST_AUTO_TEST_CASE(bip352_send_and_receive_test_vectors)
 {
     UniValue tests;

Done.

GetSilentPaymentsPrevoutsSummary() currently still builds scan data when a transaction has an eligible input plus another input spending an unknown SegWit version (>1) prevout.

BIP352 v0 says those transactions must be skipped entirely, so this should return no prevouts summary as soon as any spent prevout is witness v2+.

Diff:

diff --git a/src/common/bip352.cpp b/src/common/bip352.cpp
index 1580e1f8f8..2ccae373c8 100644
--- a/src/common/bip352.cpp
+++ b/src/common/bip352.cpp
@@ -152,6 +152,12 @@ std::optional<PrevoutsSummary> GetSilentPaymentsPrevoutsSummary(const std::vecto
     for (const CTxIn& txin : vin) {
         const Coin& coin = coins.at(txin.prevout);
         Assert(!coin.IsSpent());
+        int witness_version{0};
+        std::vector<unsigned char> witness_program;
+        // BIP352 v0 skips transactions spending future witness versions.
+        if (coin.out.scriptPubKey.IsWitnessProgram(witness_version, witness_program) && witness_version > 1) {
+            return std::nullopt;
+        }
         tx_outpoints.emplace_back(txin.prevout);
         auto pubkey = GetPubKeyFromInput(txin, coin.out.scriptPubKey);
         if (pubkey.has_value()) {

Test:

diff --git a/src/test/bip352_tests.cpp b/src/test/bip352_tests.cpp
index cd5fda38da..b27823acd4 100644
--- a/src/test/bip352_tests.cpp
+++ b/src/test/bip352_tests.cpp
@@ -27,6 +27,25 @@ CKey ParseHexToCKey(std::string hex) {
     return output;
 };
 
+BOOST_AUTO_TEST_CASE(bip352_skips_transactions_spending_unknown_segwit_versions)
+{
+    CKey key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000001");
+    CPubKey pubkey = key.GetPubKey();
+    COutPoint eligible_outpoint{Txid::FromHex("0000000000000000000000000000000000000000000000000000000000000001").value(), 0};
+    COutPoint unknown_segwit_outpoint{Txid::FromHex("0000000000000000000000000000000000000000000000000000000000000002").value(), 0};
+
+    CTxIn eligible_input{eligible_outpoint};
+    eligible_input.scriptWitness.stack.emplace_back(64, 0);
+    eligible_input.scriptWitness.stack.emplace_back(pubkey.begin(), pubkey.end());
+
+    std::map<COutPoint, Coin> coins;
+    coins[eligible_outpoint] = Coin{CTxOut{{}, GetScriptForDestination(WitnessV0KeyHash{pubkey})}, 0, false};
+    coins[unknown_segwit_outpoint] = Coin{CTxOut{{}, GetScriptForDestination(WitnessUnknown{2, std::vector<unsigned char>(32, 1)})}, 0, false};
+
+    BOOST_REQUIRE(bip352::GetSilentPaymentsPrevoutsSummary({eligible_input}, coins).has_value());
+    BOOST_CHECK(!bip352::GetSilentPaymentsPrevoutsSummary({eligible_input, CTxIn{unknown_segwit_outpoint}}, coins).has_value());
+}
+
 BOOST_AUTO_TEST_CASE(bip352_send_and_receive_test_vectors)
 {
     UniValue tests;

Done.

Silent Payments decoding looks too permissive: it detects SP addresses by HRP prefix and then accepts both BECH32 and BECH32M without requiring dec.hrp == params.SilentPaymentsHRP().

That can make spx... or Bech32-checksummed SP payloads decode as valid SP destinations, while BIP352 should require the exact SP HRP and Bech32m.

Diff:

diff --git a/src/key_io.cpp b/src/key_io.cpp
index 335f02a5ba..e77f616cc7 100644
--- a/src/key_io.cpp
+++ b/src/key_io.cpp
@@ -158,6 +158,14 @@ CTxDestination DecodeDestination(const std::string& str, const CChainParams& par
             return CNoDestination();
         }
         if (is_silent_payment) {
+            if (dec.hrp != params.SilentPaymentsHRP()) {
+                error_str = strprintf("Invalid or unsupported prefix for Silent Payments address (expected %s, got %s).", params.SilentPaymentsHRP(), dec.hrp);
+                return CNoDestination();
+            }
+            if (dec.encoding != bech32::Encoding::BECH32M) {
+                error_str = "Silent Payments address must use Bech32m checksum";
+                return CNoDestination();
+            }
             if (!ConvertBits<5, 8, false>([&](unsigned char c) { data.push_back(c); }, dec.data.begin() + 1, dec.data.end())) {
                 return CNoDestination();
             }

Test:

diff --git a/src/test/data/key_io_invalid.json b/src/test/data/key_io_invalid.json
index 0505dc9e8b..13b3fb0526 100644
--- a/src/test/data/key_io_invalid.json
+++ b/src/test/data/key_io_invalid.json
@@ -209,6 +209,12 @@
     [
         "TB1Q3F9WGNXE9ZMTTMDN5VKVKHYZ8Y0LCV72YV7V5LSXTJXEYHNHEHASLYL0TZ"
     ],
+    [
+        "spx1qq22l5s6l9460ww6t4tkzsy2a7zejurcmzz35pt0ffrzk5erlaykdcqugecjjnjqf7ggq39vl6wexjlm00n66z94v675n7wcux6d2krr68g37pn04"
+    ],
+    [
+        "sp1qq22l5s6l9460ww6t4tkzsy2a7zejurcmzz35pt0ffrzk5erlaykdcqugecjjnjqf7ggq39vl6wexjlm00n66z94v675n7wcux6d2krr68gcwu9kg"
+    ],
     [
         "sp1qqgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq2qugecjjnjqf7ggq39vl6wexjlm00n66z94v675n7wcux6d2krr68g25havg"
     ],

Done.

ScanForSilentPaymentsOutputs skips invalid x-only taproot outputs, but still stores pointers using the original tx_outputs index into the compacted tx_output_objs vector.

If an invalid output appears before a valid one, this can take &tx_output_objs[i] out of bounds or point at the wrong object during scanning.

Diff:

diff --git a/src/common/bip352.cpp b/src/common/bip352.cpp
index 1580e1f8f8..8d019f3469 100644
--- a/src/common/bip352.cpp
+++ b/src/common/bip352.cpp
@@ -316,19 +316,19 @@ std::optional<std::vector<SilentPaymentsOutput>> ScanForSilentPaymentsOutputs(
     tx_output_objs.reserve(tx_outputs.size());
     tx_output_ptrs.reserve(tx_outputs.size());
 
-    for (size_t i = 0; i < tx_outputs.size(); i++) {
-        secp256k1_silentpayments_found_output found_output{};
+    for (const XOnlyPubKey& tx_output : tx_outputs) {
         secp256k1_xonly_pubkey tx_output_obj;
-        found_output_objs.push_back(found_output);
-        found_output_ptrs.push_back(&found_output_objs[i]);
-        ret = secp256k1_xonly_pubkey_parse(secp256k1_context_static, &tx_output_obj, tx_outputs[i].data());
+        ret = secp256k1_xonly_pubkey_parse(secp256k1_context_static, &tx_output_obj, tx_output.data());
         if (!ret) {
             // It is possible that a P2TR output encodes an invalid x-only pubkey.
             continue;
         }
         tx_output_objs.push_back(tx_output_obj);
-        tx_output_ptrs.push_back(&tx_output_objs[i]);
+        tx_output_ptrs.push_back(&tx_output_objs.back());
+        found_output_objs.emplace_back();
+        found_output_ptrs.push_back(&found_output_objs.back());
     }
+    if (tx_output_ptrs.empty()) return {};
 
     // Parse the pubkeys into secp pubkey and xonly_pubkey objects
     ret = secp256k1_ec_pubkey_parse(secp256k1_context_static, &spend_pubkey_obj, recipient_spend_pubkey.data(), recipient_spend_pubkey.size());

diff --git a/src/test/bip352_tests.cpp b/src/test/bip352_tests.cpp
index cd5fda38da..ca9424507d 100644
--- a/src/test/bip352_tests.cpp
+++ b/src/test/bip352_tests.cpp
@@ -197,5 +197,39 @@ BOOST_AUTO_TEST_CASE(bip352_send_and_receive_test_vectors)
         }
     }
 }
+
+BOOST_AUTO_TEST_CASE(bip352_scan_skips_invalid_taproot_outputs)
+{
+    CKey sender_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000001");
+    CKey scan_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000002");
+    CKey spend_key = ParseHexToCKey("0000000000000000000000000000000000000000000000000000000000000003");
+    const COutPoint outpoint{Txid::FromHex("0000000000000000000000000000000000000000000000000000000000000001").value(), 0};
+
+    std::map<size_t, V0SilentPaymentsDestination> sp_dests;
+    sp_dests.emplace(0, V0SilentPaymentsDestination{scan_key.GetPubKey(), spend_key.GetPubKey()});
+    const auto sp_tr_dests = bip352::GenerateSilentPaymentsTaprootDestinations(sp_dests, {sender_key}, {}, outpoint);
+    BOOST_REQUIRE(sp_tr_dests.has_value());
+    const XOnlyPubKey expected_output{sp_tr_dests->begin()->second};
+
+    CTxIn txin{outpoint};
+    const CPubKey sender_pubkey{sender_key.GetPubKey()};
+    txin.scriptWitness.stack.emplace_back();
+    txin.scriptWitness.stack.emplace_back(sender_pubkey.begin(), sender_pubkey.end());
+
+    std::map<COutPoint, Coin> coins;
+    coins[outpoint] = Coin{CTxOut{{}, GetScriptForDestination(WitnessV0KeyHash{sender_pubkey})}, 0, false};
+    const auto prevouts_summary = bip352::GetSilentPaymentsPrevoutsSummary({txin}, coins);
+    BOOST_REQUIRE(prevouts_summary.has_value());
+
+    std::vector<XOnlyPubKey> output_pub_keys;
+    output_pub_keys.emplace_back(ParseHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"));
+    output_pub_keys.push_back(expected_output);
+
+    std::unordered_map<CKeyID, uint256, SaltedSipHasher> labels;
+    const auto found_outputs = bip352::ScanForSilentPaymentsOutputs(scan_key, *prevouts_summary, spend_key.GetPubKey(), output_pub_keys, labels);
+    BOOST_REQUIRE(found_outputs.has_value());
+    BOOST_REQUIRE_EQUAL(found_outputs->size(), 1);
+    BOOST_CHECK(found_outputs->front().output == expected_output);
+}
 BOOST_AUTO_TEST_SUITE_END()
 } // namespace wallet

Done.

in b0a0c54f5925c83728d0081f3009eb947b55895c: I think for this function, passing the label (pubkey) rather than the label tweak makes more sense, so the generator point multiplication (already done in CreateLabelTweak via the secp256k1_silentpayments_label_create API function) doesn't have to be repeated manually via .GetPubKey(). The label tweak only becomes relevant once a SP outputs need to be spent, but shouldn't be necessary in a function for address generation.

**
 * [@brief](/bitcoin-bitcoin/contributor/brief/) Generate a silent payments labeled address.
 *
 * [@param](/bitcoin-bitcoin/contributor/param/) recipient                   The recipient's silent payments destination (i.e. scan and spend public keys).
 * [@param](/bitcoin-bitcoin/contributor/param/) label                       The label
 * [@return](/bitcoin-bitcoin/contributor/return/) V0SilentPaymentsDestination The silent payments destination, with `B_spend -> B_spend + label`.
 *
 * [@see](/bitcoin-bitcoin/contributor/see/) CreateLabelTweak(const CKey& scan_key, const int m);
 */
V0SilentPaymentsDestination GenerateSilentPaymentsLabeledAddress(const V0SilentPaymentsDestination& recipient, const CPubKey& label);

Done.

in b0a0c54f5925c83728d0081f3009eb947b55895c: nit: as it's returning more than only the tweak (I suspect in a past iteration it did only that though; that would explain why the tweak is passed to GenerateSilentPaymentsLabeledAddress below currently), could rename the function. Maybe CreateLabelData or simply CreateLabel?

Done.

in b0a0c54f5925c83728d0081f3009eb947b55895c: could use directly CPubKey as the label cache map key type, since by using CKeyID additional hashing steps (via .GetID(), performing Hash160, i.e. SHA-256 + RIPEMD-160) are involved for every lookup, which I suspect would be slower. The only remaining gain would be a smaller size of the map in memory (20 bytes vs. 33 bytes keys), but I doubt that this would ever matter in practice.

CPubKey doesn't have a hash function for use with std::unordered_map. We'll have to check if it's better to use a CPubKey + std::map<CPubKey, uint256> or CKeyID + std::unordered_map<CKeyID, uint256, SaltedSipHasher>. The current plan is to eventually support at least 100_000 labels with the Bitcoin Core wallet; we can run a benchmark with this in mind.