dhruv · dhruv · May 10, 2022 · Jun 9, 2022 · Jun 9, 2022 · Jan 6, 2021
diff --git a/build_msvc/libsecp256k1/libsecp256k1.vcxproj b/build_msvc/libsecp256k1/libsecp256k1.vcxproj
@@ -14,7 +14,7 @@
  </ItemGroup>
  <ItemDefinitionGroup>
  <ClCompile>
- <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+ <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;ENABLE_MODULE_ELLSWIFT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
  <AdditionalIncludeDirectories>..\..\src\secp256k1;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
  <DisableSpecificWarnings>4146;4244;4267;4334</DisableSpecificWarnings>
  </ClCompile>

diff --git a/configure.ac b/configure.ac
@@ -1989,7 +1989,7 @@ CPPFLAGS_TEMP="$CPPFLAGS"
 unset CPPFLAGS
 CPPFLAGS="$CPPFLAGS_TEMP"
 
-ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh"
+ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh --enable-experimental --enable-module-ellswift"
 AC_CONFIG_SUBDIRS([src/secp256k1])
 
 AC_OUTPUT

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -530,8 +530,8 @@ crypto_libbitcoin_crypto_base_la_LDFLAGS = $(AM_LDFLAGS) -static
 crypto_libbitcoin_crypto_base_la_SOURCES = \
  crypto/aes.cpp \
  crypto/aes.h \
- crypto/chacha_poly_aead.h \
- crypto/chacha_poly_aead.cpp \
+ crypto/bip324_suite.h \
+ crypto/bip324_suite.cpp \
  crypto/chacha20.h \
  crypto/chacha20.cpp \
  crypto/common.h \
@@ -545,6 +545,8 @@ crypto_libbitcoin_crypto_base_la_SOURCES = \
  crypto/poly1305.cpp \
  crypto/muhash.h \
  crypto/muhash.cpp \
+ crypto/rfc8439.h \
+ crypto/rfc8439.cpp \
  crypto/ripemd160.cpp \
  crypto/ripemd160.h \
  crypto/sha1.cpp \

diff --git a/src/Makefile.bench.include b/src/Makefile.bench.include
@@ -18,17 +18,19 @@ bench_bench_bitcoin_SOURCES = \
  bench/bench.cpp \
  bench/bench.h \
  bench/bench_bitcoin.cpp \
+ bench/bip324_ecdh.cpp \
+ bench/bip324_suite.cpp \
  bench/block_assemble.cpp \
  bench/ccoins_caching.cpp \
  bench/chacha20.cpp \
- bench/chacha_poly_aead.cpp \
  bench/checkblock.cpp \
  bench/checkqueue.cpp \
  bench/crypto_hash.cpp \
  bench/data.cpp \
  bench/data.h \
  bench/descriptors.cpp \
  bench/duplicate_inputs.cpp \
+ bench/ellswift.cpp \
  bench/examples.cpp \
  bench/gcs_filter.cpp \
  bench/hashpadding.cpp \
@@ -43,6 +45,7 @@ bench_bench_bitcoin_SOURCES = \
  bench/peer_eviction.cpp \
  bench/poly1305.cpp \
  bench/prevector.cpp \
+ bench/rfc8439.cpp \
  bench/rollingbloom.cpp \
  bench/rpc_blockchain.cpp \
  bench/rpc_mempool.cpp \

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
@@ -16,6 +16,7 @@ FUZZ_BINARY=test/fuzz/fuzz$(EXEEXT)
 
 JSON_TEST_FILES = \
  test/data/script_tests.json \
+ test/data/bip324_vectors.json \
  test/data/bip341_wallet_vectors.json \
  test/data/base58_encode_decode.json \
  test/data/blockfilters.json \
@@ -256,12 +257,13 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/crypto.cpp \
  test/fuzz/crypto_aes256.cpp \
  test/fuzz/crypto_aes256cbc.cpp \
+ test/fuzz/crypto_bip324_suite.cpp \
  test/fuzz/crypto_chacha20.cpp \
- test/fuzz/crypto_chacha20_poly1305_aead.cpp \
  test/fuzz/crypto_common.cpp \
  test/fuzz/crypto_diff_fuzz_chacha20.cpp \
  test/fuzz/crypto_hkdf_hmac_sha256_l32.cpp \
  test/fuzz/crypto_poly1305.cpp \
+ test/fuzz/crypto_rfc8439.cpp \
  test/fuzz/cuckoocache.cpp \
  test/fuzz/decode_tx.cpp \
  test/fuzz/descriptor_parse.cpp \
@@ -293,6 +295,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/netbase_dns_lookup.cpp \
  test/fuzz/node_eviction.cpp \
  test/fuzz/p2p_transport_serialization.cpp \
+ test/fuzz/p2p_v2_transport_serialization.cpp \
  test/fuzz/parse_hd_keypath.cpp \
  test/fuzz/parse_numbers.cpp \
  test/fuzz/parse_script.cpp \

diff --git a/src/bench/bip324_ecdh.cpp b/src/bench/bip324_ecdh.cpp
@@ -0,0 +1,57 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <pubkey.h>
+#include <random.h>
+#include <secp256k1.h>
+#include <secp256k1_ellswift.h>
+
+#include <cstddef>
+
+CKey GetRandomKey()
+{
+ CKey key;
+ key.MakeNewKey(true);
+ return key;
+}
+
+int GetEll64(const CKey& key, unsigned char* ell64, secp256k1_context* ctx)
+{
+ std::array<unsigned char, 32> rnd32;
+ GetRandBytes(rnd32);
+ return secp256k1_ellswift_create(ctx, ell64, reinterpret_cast<const unsigned char*>(key.data()), rnd32.data());
+}
+
+static void BIP324_ECDH(benchmark::Bench& bench)
+{
+ ECC_Start();
+ secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+ assert(ctx != nullptr);
+ assert(secp256k1_context_randomize(ctx, nullptr));
+ auto our_key = GetRandomKey();
+ auto their_key = GetRandomKey();
+
+ unsigned char our_ell64[64], their_ell64[64];
+ if (!GetEll64(our_key, our_ell64, ctx)) {
+ assert(false);
+ }
+
+ if (!GetEll64(their_key, their_ell64, ctx)) {
+ assert(false);
+ }
+
+ bench.batch(1).unit("ecdh").run([&] {
+ assert(our_key.ComputeBIP324ECDHSecret({reinterpret_cast<std::byte*>(their_ell64), 64},
+ {reinterpret_cast<std::byte*>(our_ell64), 64},
+ true)
+ .has_value());
+ });
+ secp256k1_context_destroy(ctx);
+ ECC_Stop();
+}
+
+BENCHMARK(BIP324_ECDH, benchmark::PriorityLevel::HIGH);
diff --git a/src/bench/bip324_suite.cpp b/src/bench/bip324_suite.cpp
@@ -0,0 +1,117 @@
+// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+
+#include <assert.h>
+#include <bench/bench.h>
+#include <crypto/bip324_suite.h>
+#include <crypto/rfc8439.h> // for the RFC8439_EXPANSION constant
+#include <hash.h>
+
+#include <array>
+#include <cstddef>
+#include <vector>
+
+/* Number of bytes to process per iteration */
+static constexpr uint64_t BUFFER_SIZE_TINY = 64;
+static constexpr uint64_t BUFFER_SIZE_SMALL = 256;
+static constexpr uint64_t BUFFER_SIZE_LARGE = 1024 * 1024;
+
+static const std::vector<std::byte> zero_vec(BIP324_KEY_LEN, std::byte{0x00});
+
+static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bool include_decryption)
+{
+ BIP324Key zero_arr;
+ memcpy(zero_arr.data(), zero_vec.data(), BIP324_KEY_LEN);
+ BIP324CipherSuite enc{zero_arr, zero_arr};
+ BIP324CipherSuite dec{zero_arr, zero_arr};
+
+ auto packet_len = BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + contents_len + RFC8439_EXPANSION;
+
+ std::vector<std::byte> in(contents_len, std::byte{0x00});
+ std::vector<std::byte> out(packet_len, std::byte{0x00});
+
+ BIP324HeaderFlags flags{BIP324_NONE};
+
+ bench.batch(contents_len).unit("byte").run([&] {
+ // encrypt or decrypt the buffer with a static key
+ const bool crypt_ok_1 = enc.Crypt({}, in, out, flags, true);
+ assert(crypt_ok_1);
+
+ if (include_decryption) {
+ // if we decrypt, we need to decrypt the length first
+ std::array<std::byte, BIP324_LENGTH_FIELD_LEN> encrypted_pkt_len;
+ memcpy(encrypted_pkt_len.data(), out.data(), BIP324_LENGTH_FIELD_LEN);
+ (void)dec.DecryptLength(encrypted_pkt_len);
+ const bool crypt_ok_2 = dec.Crypt({}, {out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
+ assert(crypt_ok_2);
+ }
+ });
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, false);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, false);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, false);
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, true);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, true);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+ BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, true);
+}
+
+// Add Hash() (dbl-sha256) bench for comparison
+
+static void HASH(benchmark::Bench& bench, size_t buffersize)
+{
+ uint8_t hash[CHash256::OUTPUT_SIZE];
+ std::vector<uint8_t> in(buffersize, 0);
+ bench.batch(in.size()).unit("byte").run([&] {
+ CHash256().Write(in).Finalize(hash);
+ });
+}
+
+static void HASH_64BYTES(benchmark::Bench& bench)
+{
+ HASH(bench, BUFFER_SIZE_TINY);
+}
+
+static void HASH_256BYTES(benchmark::Bench& bench)
+{
+ HASH(bench, BUFFER_SIZE_SMALL);
+}
+
+static void HASH_1MB(benchmark::Bench& bench)
+{
+ HASH(bench, BUFFER_SIZE_LARGE);
+}
+
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_64BYTES, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_256BYTES, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_1MB, benchmark::PriorityLevel::HIGH);