Add BIP-374 DLEQ proof verification

[FreeOnlineUser]

Add BIP-374 DLEQ proof verification

Description

Adds DLEQ (Discrete Log Equality) proof verification as specified in BIP-374. This complements the existing BIP-375 PSBT field support in #79 by providing the actual cryptographic verification.

What this adds

• verify_dleq_proof(A, B, C, proof) - Verify a BIP-374 DLEQ proof
• generate_dleq_proof(a, B) - Generate a DLEQ proof (for testing/coordinators)
• tagged_hash(tag, data) - BIP-340 style tagged hashing

Why this matters

BIP-375 Silent Payments PSBTs include DLEQ proofs (PSBT_GLOBAL_SP_DLEQ) to prove ECDH shares were computed correctly. Without verification, signing devices must trust the coordinator's math.
With this, a signing device can:

1. Extract DLEQ proof from PSBT (using Implement BIP-375 Silent Payments PSBT Fields #79)
2. Verify the proof cryptographically
3. Confirm the Silent Payment output was derived correctly before signing

Usage

from embit.dleq import verify_dleq_proof

# Extract from BIP-375 PSBT fields
A = sum_of_input_pubkeys  # or single input pubkey
B = recipient_scan_key    # from PSBT_OUT_SP_V0_INFO
C = ecdh_share           # from PSBT_GLOBAL_SP_ECDH_SHARE
proof = dleq_proof       # from PSBT_GLOBAL_SP_DLEQ

if verify_dleq_proof(A, B, C, proof):
    print("ECDH share verified - safe to sign")

Implementation notes

• Uses embit's existing secp256k1 bindings
• ec_pubkey_negate() returns a new point (doesn't modify in-place)
• 13 unit tests covering generation, verification, and edge cases

Related

• Implement BIP-375 Silent Payments PSBT Fields #79 - BIP-375 PSBT field parsing (this adds verification for those fields)
• [New Feature]: BIP-352 Sender Side Protocol #96 - BIP-352 sender side
• SeedSigner PR #864 - Working implementation using this code

References

• BIP-374: DLEQ Proofs
• BIP-375: Sending Silent Payments with PSBTs

[FreeOnlineUser]

Added edge case hardening based on cryptographic review:

Verification (verify_dleq_proof):

• Added e >= SECP256K1_ORDER check (prevents malleability)
• Added point-at-infinity validation for R1/R2 (rejects invalid 33-byte results)

Generation (generate_dleq_proof):

• Added private key range validation (a ∈ [1, n))
• Added nonce zero check after modular reduction

Tests:

• Added 4 new tests for edge cases (17 total, all passing)
• Tests cover: e >= n, s >= n, a == 0, a >= n, k == 0

Spec Compliance Note:

This implements BIP-374 DLEQ verification for BIP-375 Silent Payments use cases. The optional message parameter (m) is not implemented as BIP-375 doesn't use it. Proofs verify correctly for the BIP-375 workflow (message field empty). Can add message support if needed for other use cases.

Validation:

• Round-trip tests (generate → verify)
• Official BIP-374 test vectors (pending - can add if desired)
• Interop testing with other implementations (pending)

No breaking changes to existing API signatures.

[quapka]

Interop testing with other implementations (pending)

What about extending bitcoinfuzz with DLEQ-related targets? It could be tested against the reference implementation, NBitcoin, or rust-dleq.

[notTanveer]

If the nonce derivation skips the required r (aux randomness) input + the BIP0374/aux and BIP0374/nonce tagged hash flow, it can leak a.

could leak a if two proofs were constructed for the same a, B, and G but a different message m and an all-zero r.