add secp256k1_silentpayments_verify_proof

include/secp256k1_silentpayments.h

@@ -442,6 +442,29 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_recipien
     unsigned int k
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Verifies the Silent Payment proof. If the following algorithm succeeds, the points A and C were both generated from
+ * the same scalar. The former from multiplying by G, and the latter from multiplying by B.
+ *
+ * Here, A refers to input public key sum (present in public_data)
+ *       B refers to recipient's scan pubkey
+ *       C refers to shared_secret point
+ *
+ *  Returns: 1 if verification of proof was successful. 0 if an error occurred.
+ *  Args:                ctx: pointer to a context object
+ *  In:        shared_secret: 33 bytes shared secret
+ *                     proof: 64 bytes DLEQ proof
+ *     recipient_scan_pubkey: pointer to the recipient's scan pubkey
+ *               public_data: pointer to the input public key sum (optionally, with the `input_hash` multiplied in,
+ *                            see `_recipient_public_data_create`).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_silentpayments_verify_proof(
+        const secp256k1_context *ctx,
+        const unsigned char *shared_secret33,
+        const unsigned char *proof64,
+        const secp256k1_pubkey *recipient_scan_pubkey,
+        const secp256k1_silentpayments_public_data *public_data
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
 /** Serialize a secp256k1_silentpayments_dleq_data object into a 101-byte sequence.
  *  101-byte sequence = 33 bytes shared secret + 64 bytes proof + 4 bytes index
  *                      where index is position in an array of pointers to silent payment recipients

src/modules/silentpayments/main_impl.h

@@ -694,6 +694,40 @@ int secp256k1_silentpayments_recipient_create_output_pubkey(const secp256k1_cont
     return secp256k1_silentpayments_create_output_pubkey(ctx, P_output_xonly, shared_secret33, recipient_spend_pubkey, k);
 }
 
+int secp256k1_silentpayments_verify_proof(const secp256k1_context *ctx, const unsigned char *shared_secret33, const unsigned char *proof64, const secp256k1_pubkey *recipient_scan_pubkey, const secp256k1_silentpayments_public_data *public_data)
+{
+    secp256k1_scalar s;
+    secp256k1_scalar e;
+    secp256k1_pubkey pk;
+    secp256k1_ge pubkey_sum;
+    secp256k1_ge scan_pubkey;
+    secp256k1_ge shared_secret;
+    size_t pubkeylen = 33;
+    unsigned char input_hash[32];
+    int ret = 1;
+    int combined;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(shared_secret33 != NULL);
+    ARG_CHECK(proof64 != NULL);
+    ARG_CHECK(recipient_scan_pubkey != NULL);
+    ARG_CHECK(public_data != NULL);
+
+    ret &= secp256k1_silentpayments_recipient_public_data_load_pubkey(ctx, &pk, public_data);
+    combined = (int)public_data->data[0];
+    if (!combined) {
+        secp256k1_silentpayments_recipient_public_data_load_input_hash(input_hash, public_data);
+        ret &= secp256k1_ec_pubkey_tweak_mul(ctx, &pk, input_hash);
+    }
+    ret &= secp256k1_pubkey_load(ctx, &pubkey_sum, &pk);
+    ret &= secp256k1_pubkey_load(ctx, &scan_pubkey, recipient_scan_pubkey);
+    ret &= secp256k1_ec_pubkey_parse(ctx, &pk, shared_secret33, pubkeylen);
+    ret &= secp256k1_pubkey_load(ctx, &shared_secret, &pk);
+    secp256k1_scalar_set_b32(&s, proof64, NULL);
+    secp256k1_scalar_set_b32(&e, proof64 + 32, NULL);
+    ret &= secp256k1_dleq_verify(&s, &e, &pubkey_sum, &scan_pubkey, &shared_secret, NULL);
+    return ret;
+}
 
 void secp256k1_silentpayments_dleq_data_serialize(unsigned char *output, const secp256k1_silentpayments_dleq_data *dleq_data) {
     memcpy(output, dleq_data->shared_secret, 33);