Encapsulate `secp256k1_xonly_pubkey_load` for external access #1143

pull w0xlt wants to merge 1 commits into bitcoin-core:master from w0xlt:x_only_pubkey_to_pubkey changing 3 files +66 −0
  1. w0xlt commented at 4:16 AM on October 9, 2022: none

    Apparently there is no way to sum public keys if they are x-only, even if the user knows how to handle the lost prefix byte.

    I noticed that in the code currently, the secp256k1_xonly_pubkey_load function is already used to do this conversion safely, but it is not exposed to be used.

    This PR creates a wrapper function for secp256k1_xonly_pubkey_load and adds in the function description the warning that the conversion always generates the public key with even y.

  2. w0xlt renamed this:
    Encapslate `secp256k1_xonly_pubkey_load` for external access
    Encapsulate `secp256k1_xonly_pubkey_load` for external access
    on Oct 9, 2022
  3. w0xlt force-pushed on Oct 9, 2022
  4. ZenulAbidin commented at 4:14 PM on October 9, 2022: contributor

    Supposing a user really knew what they were doing - wouldn't they just bundle libsecp256k1 compiled as a depenency of their project, but forking it to add wrappers for unexposed functions that they need only for their own project?

  5. sipa commented at 4:18 PM on October 9, 2022: contributor

    What's the use case?

    We consider the fact that the library such a lowlevel function as point addition to be a historic mistake. Longer term, we hope to replace it with more specific modules for higher-level protocols that need it, such as BIP32 and BIP341.

  6. w0xlt commented at 6:06 PM on October 9, 2022: none

    The use case is https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#variant-using-all-inputs (create a silent payment using all inputs, which increases privacy and makes it compatible with Coinjoin).

    If there are three inputs (I1, I2, I3), the scheme becomes: hash(i1*X + i2*X + i3*X)*G + X == hash(x*(I1+I2+I3))*G + X.

    But in the case of Taproot input, the available public key is x-only. So a conversion is needed to be able to use secp256k1_ec_pubkey_combine with the other inputs.

  7. encapslate `secp256k1_xonly_pubkey_load` for external access f9d1e7d6f0
  8. w0xlt force-pushed on Oct 9, 2022
  9. apoelstra commented at 4:16 PM on October 10, 2022: contributor

    It looks like you are doing an ECDH exchange with multiple parties and then adding the resulting shared secret with no further rerandomization. This sounds suspicious and unlikely to be secure. In particular it is susceptible to rogue-key attacks wherein one input is chosen that cancels out the others. (Maybe this is okay for your use-case. But it makes me uncomfortable.)

    My feeling is that you just do normal ECDH and then concatenate and hash the resulting shared secrets. But this would eliminate any hope of interactivity without revealing every shared secret to every participant (again, maybe this is okay?). The resulting scheme is significantly easier to reason about.

    At the very least you should musig-combine the individual keys which will prevent rogue-key attacks.

  10. w0xlt cross-referenced this on Oct 11, 2022 from issue [Draft / POC] Silent Payments by w0xlt
  11. w0xlt commented at 6:34 PM on October 17, 2022: none

    @apoelstra Thanks for the feedback. The silent payment scheme does not use multiple parties, only the inputs of a transaction, so a re-randomization may not be useful in this case.

    Anyway, I'm closing this PR as it's unlikely to be merged, and I've changed the silent payment PR to simply add 2 in front of the x-only pubkey.

  12. w0xlt closed this on Oct 17, 2022
  13. w0xlt deleted the branch on Oct 17, 2022
Contributors
w0xltZenulAbidinsipaapoelstra
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-18 21:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me