dhruv · dhruv · Sep 21, 2022 · Sep 21, 2022 · Sep 21, 2022 · Jun 10, 2022
diff --git a/build_msvc/libsecp256k1/libsecp256k1.vcxproj b/build_msvc/libsecp256k1/libsecp256k1.vcxproj
@@ -14,7 +14,7 @@
   </ItemGroup>
   <ItemDefinitionGroup>
     <ClCompile>
-      <PreprocessorDefinitions>ENABLE_MODULE_ECDH;ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>ENABLE_MODULE_ECDH;ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;ENABLE_MODULE_ELLSWIFT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\..\src\secp256k1;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DisableSpecificWarnings>4146;4244;4267;4334</DisableSpecificWarnings>
     </ClCompile>

diff --git a/configure.ac b/configure.ac
@@ -2016,7 +2016,7 @@ LIBS_TEMP="$LIBS"
 unset LIBS
 LIBS="$LIBS_TEMP"
 
-ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --enable-module-schnorrsig"
+ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --enable-module-schnorrsig --enable-experimental --enable-module-ellswift"
 AC_CONFIG_SUBDIRS([src/secp256k1])
 
 AC_OUTPUT

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -514,8 +514,8 @@ crypto_libbitcoin_crypto_base_la_LDFLAGS = $(AM_LDFLAGS) -static
 crypto_libbitcoin_crypto_base_la_SOURCES = \
   crypto/aes.cpp \
   crypto/aes.h \
-  crypto/chacha_poly_aead.h \
-  crypto/chacha_poly_aead.cpp \
+  crypto/bip324_suite.h \
+  crypto/bip324_suite.cpp \
   crypto/chacha20.h \
   crypto/chacha20.cpp \
   crypto/common.h \
@@ -529,6 +529,8 @@ crypto_libbitcoin_crypto_base_la_SOURCES = \
   crypto/poly1305.cpp \
   crypto/muhash.h \
   crypto/muhash.cpp \
+  crypto/rfc8439.h \
+  crypto/rfc8439.cpp \
   crypto/ripemd160.cpp \
   crypto/ripemd160.h \
   crypto/sha1.cpp \

diff --git a/src/Makefile.bench.include b/src/Makefile.bench.include
@@ -18,17 +18,19 @@ bench_bench_bitcoin_SOURCES = \
   bench/bench.cpp \
   bench/bench.h \
   bench/bench_bitcoin.cpp \
+  bench/bip324_ecdh.cpp \
+  bench/bip324_suite.cpp \
   bench/block_assemble.cpp \
   bench/ccoins_caching.cpp \
   bench/chacha20.cpp \
-  bench/chacha_poly_aead.cpp \
   bench/checkblock.cpp \
   bench/checkqueue.cpp \
   bench/crypto_hash.cpp \
   bench/data.cpp \
   bench/data.h \
   bench/descriptors.cpp \
   bench/duplicate_inputs.cpp \
+  bench/ellswift.cpp \
   bench/examples.cpp \
   bench/gcs_filter.cpp \
   bench/hashpadding.cpp \
@@ -42,6 +44,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/peer_eviction.cpp \
   bench/poly1305.cpp \
   bench/prevector.cpp \
+  bench/rfc8439.cpp \
   bench/rollingbloom.cpp \
   bench/rpc_blockchain.cpp \
   bench/rpc_mempool.cpp \

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
@@ -16,6 +16,7 @@ FUZZ_BINARY=test/fuzz/fuzz$(EXEEXT)
 
 JSON_TEST_FILES = \
   test/data/script_tests.json \
+  test/data/bip324_vectors.json \
   test/data/bip341_wallet_vectors.json \
   test/data/base58_encode_decode.json \
   test/data/blockfilters.json \
@@ -161,7 +162,8 @@ BITCOIN_TESTS =\
   test/validation_flush_tests.cpp \
   test/validation_tests.cpp \
   test/validationinterface_tests.cpp \
-  test/versionbits_tests.cpp
+  test/versionbits_tests.cpp \
+  test/xoroshiro128plusplus_tests.cpp
 
 if ENABLE_WALLET
 BITCOIN_TESTS += \
@@ -254,12 +256,13 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/crypto.cpp \
  test/fuzz/crypto_aes256.cpp \
  test/fuzz/crypto_aes256cbc.cpp \
+ test/fuzz/crypto_bip324_suite.cpp \
  test/fuzz/crypto_chacha20.cpp \
- test/fuzz/crypto_chacha20_poly1305_aead.cpp \
  test/fuzz/crypto_common.cpp \
  test/fuzz/crypto_diff_fuzz_chacha20.cpp \
  test/fuzz/crypto_hkdf_hmac_sha256_l32.cpp \
  test/fuzz/crypto_poly1305.cpp \
+ test/fuzz/crypto_rfc8439.cpp \
  test/fuzz/cuckoocache.cpp \
  test/fuzz/decode_tx.cpp \
  test/fuzz/descriptor_parse.cpp \
@@ -291,6 +294,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/netbase_dns_lookup.cpp \
  test/fuzz/node_eviction.cpp \
  test/fuzz/p2p_transport_serialization.cpp \
+ test/fuzz/p2p_v2_transport_serialization.cpp \
  test/fuzz/parse_hd_keypath.cpp \
  test/fuzz/parse_numbers.cpp \
  test/fuzz/parse_script.cpp \

diff --git a/src/Makefile.test_util.include b/src/Makefile.test_util.include
@@ -19,7 +19,8 @@ TEST_UTIL_H = \
   test/util/transaction_utils.h \
   test/util/txmempool.h \
   test/util/validation.h \
-  test/util/wallet.h
+  test/util/wallet.h \
+  test/util/xoroshiro128plusplus.h
 
 libtest_util_a_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) $(BOOST_CPPFLAGS)
 libtest_util_a_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)

diff --git a/src/bench/bip324_ecdh.cpp b/src/bench/bip324_ecdh.cpp
@@ -0,0 +1,52 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <pubkey.h>
+#include <random.h>
+#include <secp256k1_ellswift.h>
+
+#include <cstddef>
+
+CKey GetRandomKey()
+{
+    CKey key;
+    key.MakeNewKey(true);
+    return key;
+}
+
+int GetEll64(const CKey& key, unsigned char* ell64)
+{
+    std::array<unsigned char, 32> rnd32;
+    GetRandBytes(rnd32);
+    return secp256k1_ellswift_create(GetVerifyContext(), ell64, reinterpret_cast<const unsigned char*>(key.data()), rnd32.data());
+}
+
+static void BIP324_ECDH(benchmark::Bench& bench)
+{
+    ECC_Start();
+    auto our_key = GetRandomKey();
+    auto their_key = GetRandomKey();
+
+    unsigned char our_ell64[64], their_ell64[64];
+    if (!GetEll64(our_key, our_ell64)) {
+        assert(false);
+    }
+
+    if (!GetEll64(their_key, their_ell64)) {
+        assert(false);
+    }
+
+    bench.batch(1).unit("ecdh").run([&] {
+        assert(our_key.ComputeBIP324ECDHSecret({reinterpret_cast<std::byte*>(their_ell64), 64},
+                                               {reinterpret_cast<std::byte*>(our_ell64), 64},
+                                               true)
+                   .has_value());
+    });
+    ECC_Stop();
+}
+
+BENCHMARK(BIP324_ECDH);
diff --git a/src/bench/bip324_suite.cpp b/src/bench/bip324_suite.cpp
@@ -0,0 +1,120 @@
+// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+
+#include <assert.h>
+#include <bench/bench.h>
+#include <crypto/bip324_suite.h>
+#include <crypto/rfc8439.h> // for the RFC8439_EXPANSION constant
+#include <hash.h>
+
+#include <array>
+#include <cstddef>
+#include <vector>
+
+/* Number of bytes to process per iteration */
+static constexpr uint64_t BUFFER_SIZE_TINY = 64;
+static constexpr uint64_t BUFFER_SIZE_SMALL = 256;
+static constexpr uint64_t BUFFER_SIZE_LARGE = 1024 * 1024;
+
+static const std::vector<std::byte> zero_vec(BIP324_KEY_LEN, std::byte{0x00});
+
+static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bool include_decryption)
+{
+    BIP324Key zero_arr;
+    std::array<std::byte, BIP324_REKEY_SALT_LEN> zero_rekey_salt;
+    memcpy(zero_arr.data(), zero_vec.data(), BIP324_KEY_LEN);
+    memcpy(zero_rekey_salt.data(), zero_vec.data(), BIP324_REKEY_SALT_LEN);
+
+    BIP324CipherSuite enc{zero_arr, zero_arr, zero_rekey_salt};
+    BIP324CipherSuite dec{zero_arr, zero_arr, zero_rekey_salt};
+
+    auto packet_len = BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + contents_len + RFC8439_EXPANSION;
+
+    std::vector<std::byte> in(contents_len, std::byte{0x00});
+    std::vector<std::byte> out(packet_len, std::byte{0x00});
+
+    BIP324HeaderFlags flags{BIP324_NONE};
+
+    bench.batch(contents_len).unit("byte").run([&] {
+        // encrypt or decrypt the buffer with a static key
+        const bool crypt_ok_1 = enc.Crypt({}, in, out, flags, true);
+        assert(crypt_ok_1);
+
+        if (include_decryption) {
+            // if we decrypt, we need to decrypt the length first
+            std::array<std::byte, BIP324_LENGTH_FIELD_LEN> encrypted_pkt_len;
+            memcpy(encrypted_pkt_len.data(), out.data(), BIP324_LENGTH_FIELD_LEN);
+            (void)dec.DecryptLength(encrypted_pkt_len);
+            const bool crypt_ok_2 = dec.Crypt({}, {out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
+            assert(crypt_ok_2);
+        }
+    });
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, false);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, false);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, false);
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, true);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, true);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, true);
+}
+
+// Add Hash() (dbl-sha256) bench for comparison
+
+static void HASH(benchmark::Bench& bench, size_t buffersize)
+{
+    uint8_t hash[CHash256::OUTPUT_SIZE];
+    std::vector<uint8_t> in(buffersize, 0);
+    bench.batch(in.size()).unit("byte").run([&] {
+        CHash256().Write(in).Finalize(hash);
+    });
+}
+
+static void HASH_64BYTES(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_TINY);
+}
+
+static void HASH_256BYTES(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_SMALL);
+}
+
+static void HASH_1MB(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_LARGE);
+}
+
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT);
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT);
+BENCHMARK(HASH_64BYTES);
+BENCHMARK(HASH_256BYTES);
+BENCHMARK(HASH_1MB);
diff --git a/src/bench/chacha20.cpp b/src/bench/chacha20.cpp
@@ -14,9 +14,9 @@ static const uint64_t BUFFER_SIZE_LARGE = 1024*1024;
 static void CHACHA20(benchmark::Bench& bench, size_t buffersize)
 {
     std::vector<uint8_t> key(32,0);
-    ChaCha20 ctx(key.data(), key.size());
+    ChaCha20 ctx(key.data());
     ctx.SetIV(0);
-    ctx.Seek(0);
+    ctx.Seek64(0);
     std::vector<uint8_t> in(buffersize,0);
     std::vector<uint8_t> out(buffersize,0);
     bench.batch(in.size()).unit("byte").run([&] {