Add BIP352 module (take 3)

[josibake]

This PR implements BIP352 - Silent payments. It is recommended to read through the BIP before reviewing this PR.

This is a continuation of the work in #1519 and only opened as a new PR due to the comment history on #1519 becoming quite long and difficult to sift through. It is recommended reviewers go through #1519 for background context, if interested.

[josibake]

Updated 6264c3d -> 9e85256 (2025_00 -> 2025_01, compare)

• Added documentation for expectations around label_lookup pointer lifetimes (h/t @antonilol)
• Update docs to accurately reflect that label_context is optional (h/t @antonilol)
• Added a test case for passing a lookup callback with a null context (which required some small updates to the test label lookup function)

[real-or-random]

Sorry, stopping CI here. We're about to make a release and need to the CI. :)

We'll restart the jobs here afterwards.

[josibake]

Update 9e85256 -> a4db279 (2025_01 -> 2025_02, compare)

• Update the constant time tests to cover the _recipient_created_shared_secret and _recipient_created_output_pubkey functions (h/t @theStack )
• Remove no longer needed TODO comments and clarify why a constant time test without a label lookup function is sufficient for _recipient_scan_outputs

[josibake]

Rebased on top of 0.7.0 release 🎉 a4db279 -> e35bede (2025_02 -> 2025_02_rebase, compare)

[josibake]

I did a deep dive on using (*arg)[size] in this PR and opened #1710 for discussion, since this is a broader topic than just this PR. The relevant changes for here and the downstream Bitcoin Core PRs are josibake@5a10880 and josibake/bitcoin@5835d98

[josibake]

Updated e35bede -> 1a84908 (2025_02_rebase -> 2025_03, compare)

• Added a test case for the _recipient_create_output_pubkey corner case (h/t @theStack)
• Removed the VERIFY_CHECK in favour of returning an error

[josibake]

Update 1a84908 -> 2948a9b (2025_03 -> 2025_04, compare)

• Fixed valgrind error in test
• Update the example to use EXIT_SUCCESS/EXIT_FAILURE (h/t @theStack)
• Clear shared secret variable consistently (and update comment) (h/t @theStack)
• Add comment explaining why we declassify the pubkey sum (h/t @theStack)

Thanks for the thorough review, @theStack !

[josibake]

Update 2948a9b -> 64ecd6c (2025_04 -> 2025_05, compare)

• Remove no longer needed TODO comment regarding _cmov
• Remove todo comment regarding input_hash, now that this is properly specified in the BIP

cc @jonasnick and @real-or-random regarding the use of a VERIFY_CHECK in favour of returning an error, when returning an error results in an untestable branch. I'm happy with the approach here were we use a VERIFY_CHECK for input_hash and t_k to check for an overflow of the curve order. However, given this is something we've discussed a few times in the post, would be great to hear your thoughts on this and I'm happy to defer to whatever you both think is best.

This should address all of the outstanding TODOs (at least the ones we left comments for 😅 )

[josibake]

Updated 64ecd6c -> 3c4af8f (2025_05 -> 2025_06, compare)

• Updates the benchmarks per @theStack 's suggestion to have separate benchmarks for _full_scan and full_scan_with_labels
• Leave a TODO comment for a follow-up to make the labels benchmark more representative of real world usage
• Cleans up the benchmark arguments and formatting

[theStack]

In the CI commit, could add the silent payments module also to the native macOS arm64 job (as done for musig recently in #1699), e.g.

diff

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8ee13ce..f612a84 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -583,13 +583,13 @@ jobs:
       fail-fast: false
       matrix:
         env_vars:
-          - { WIDEMUL: 'int64',  RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
+          - { WIDEMUL: 'int64',  RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', SILENTPAYMENTS: 'yes' }
           - { WIDEMUL: 'int128_struct', ECMULTGENPRECISION: 2, ECMULTWINDOW: 4 }
-          - { WIDEMUL: 'int128',                  ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
+          - { WIDEMUL: 'int128',                  ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', SILENTPAYMENTS: 'yes' }
           - { WIDEMUL: 'int128', RECOVERY: 'yes' }
-          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
-          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', CC: 'gcc' }
-          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', CPPFLAGS: '-DVERIFY' }
+          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', SILENTPAYMENTS: 'yes' }
+          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', SILENTPAYMENTS: 'yes', CC: 'gcc' }
+          - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', EXTRAKEYS: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', SILENTPAYMENTS: 'yes', CPPFLAGS: '-DVERIFY' }
           - BUILD: 'distcheck'
 
     steps:

(untested)

[josibake]

Updated 142f07b -> 2b57d2a (2025_11 -> 2025_12, compare)

• Documentation fixes (h/t @theStack)
• Added VERIFY_CHECK and more consistent ret (h/t @theStack)
• Removed dead code from tests and improved legibility (h/t @theStack)

[josibake]

Updated 2b57d2a -> a428424 (2025_12 -> 2025_13, compare)

• Remove extra check to make the autotools build system consistent with other modules (h/t @real-or-random )
• Various wording fix-ups (h/t @real-or-random)
• Use spend_pubkey to indicate a spend public key that might also have a tweak and unlabeled_spend_pubkey we mean to refer the unlabeled spend public key (vs labeled_spend_pubkey and spend_pubkey) (h/t @real-or-random )
• Reword the sending API docs to avoid mentioning "sorting"

Thanks for the review @real-or-random , much prefer your wording suggestions. I pushed a version of the docs that I think helps minimise confusion about sorting, but curious to hear your thoughts as I imagine these docs will still need a bit of refining.

[josibake]

Updated a428424 -> 99aef92 (2025_13 -> 2025_14, compare)

• Add tests for the tagged hash midstates used in silent payments (h/t @real-or-random )

The first commit moves the convenience function for verifying tagged hashes out of the musig module and is pulled in from #1725.

[real-or-random]

I've made my way through sending (ignoring the public header for now) and I pushed some suggestions for fixups here: master...real-or-random:secp256k1:bip352-silentpayments-module-2025-sending-fixups (and some fixups also to receiving, I hope I always picked the right commit to fixup). See commit messages for rationale. Some of these may be opinionated, so feel free to reject, disagree, or adjust.

[real-or-random]

This could also test with an illegal s, I think.

[josibake]

Updated 99aef92 -> 2164d5c (2025_14 -> 2025_15, compare)

Primarily updates the sending commit, with a few changes to the receiving commit:

• Rebased on tests: refactor tagged hash verification #1725
• IWYU (h/t @real-or-random )
• Improve comments regarding the scan key, i.e., stop referring to it as "secret-but-not-really" and explicitly mention what happens if the scan key is leaked (h/t @real-or-random )
• Use the more precise terminology "negligible probability" (h/t @real-or-random and crypto camp, where this has been explained! 😄 )
• General wording, clarity improvements for the code/comments

Thanks for the thorough review, @real-or-random ! I reviewed each fixup commit and ended up taking all of them, as I agree with the rational and much prefer the wording(s) you suggested. Also, thanks for the fixup! branch; the branch made it super simple to integrate your changes.