Description
This PR implements BIP352 with scanning limited to full-nodes. Light-client scanning is planned to be added in a separate PR in the future. The following 5 API functions are currently introduced:
Sender side [BIP description]:
secp256k1_silentpayments_sender_create_outputs: given a list of $n$ secret keys $a_1 … a_n$, a serialized outpoint, and a list of recipients (each consisting of silent payments scan pubkey and spend pubkey), create the corresponding transaction outputs (x-only public keys) for the sending transaction
Receiver side, label creation [BIP description]:
secp256k1_recipient_create_label: given a scan secret key and label integer, calculate the corresponding label_tweak and label public keysecp256k1_recipient_create_labeled_spend_pubkey: given a spend public key and a label public key, create the corresponding labeled spend public key
Receiver side, scanning [BIP description]:
secp256k1_recipient_prevouts_summary_create: given a list of $n$ public keys $A_1 … A_n$ and a serialized outpoint, create aprevouts_summaryobject needed for scanningsecp256k1_recipient_scan_outputs: given aprevouts_summaryobject, a recipients scan secret key and spend public key, and the relevant transaction outputs (x-only public keys), scan for outputs belonging to the recipients and and return the tweak(s) needed for spending the output(s). Optionally, a label_lookup callback function can be provided to also scan for labels.
Changes to the previous take
Based on the latest state of the previous PR #1698 (take 3), the following changes have been made:
- rebased on master (adapting to the new unit test framework added in #1734; thanks to furszy for his mini-guide)
- removed functionality that is only relevant for light clients (
_prevout_summary_{parse,serialize},__recipient_create_output_pubkeys), adapted tests and benchmark accordingly - adapted examples to have both Bob and Carol do full-node scanning, with a TODO to switch the latter to light-client scanning once available in the future
- addressed various review comments, if still relevant (https://github.com/bitcoin-core/secp256k1/pull/1698#discussion_r2433803533, #1698 (review), #1698 (review), #1698 (review))
The scope reduction isn’t immediately visible in commit count (only one commit was only introducing light-client relevant functionality and could be completely removed), but the review burden compared #1698 is still significantly lower in terms of LOC, especially in the receiving commit.
Open questions / TODOs
- Recent proposals of reducing the worst-case scanning time (see posts by w0xlt and jonasnick, #1698 (comment) ff.) are not taken into account yet.
- Not providing
prevouts_summary(de)serialization functionality yet in the API poses the risk that users try to do it anyway by treating the opaque object as “serialized”. How to cope with that? Is adding a “don’t do this” comment in API header sufficient?