#23561 bip324-handshake

configure.ac

@@ -1989,7 +1989,7 @@ CPPFLAGS_TEMP="$CPPFLAGS"
 unset CPPFLAGS
 CPPFLAGS="$CPPFLAGS_TEMP"
 
-ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh"
+ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh --enable-experimental --enable-module-ellswift"
 AC_CONFIG_SUBDIRS([src/secp256k1])
 
 AC_OUTPUT

src/Makefile.am

@@ -530,8 +530,8 @@ crypto_libbitcoin_crypto_base_la_LDFLAGS = $(AM_LDFLAGS) -static
 crypto_libbitcoin_crypto_base_la_SOURCES = \
   crypto/aes.cpp \
   crypto/aes.h \
-  crypto/chacha_poly_aead.h \
-  crypto/chacha_poly_aead.cpp \
+  crypto/bip324_suite.h \
+  crypto/bip324_suite.cpp \
   crypto/chacha20.h \
   crypto/chacha20.cpp \
   crypto/common.h \
@@ -545,6 +545,8 @@ crypto_libbitcoin_crypto_base_la_SOURCES = \
   crypto/poly1305.cpp \
   crypto/muhash.h \
   crypto/muhash.cpp \
+  crypto/rfc8439.h \
+  crypto/rfc8439.cpp \
   crypto/ripemd160.cpp \
   crypto/ripemd160.h \
   crypto/sha1.cpp \

src/Makefile.bench.include

@@ -18,10 +18,11 @@ bench_bench_bitcoin_SOURCES = \
   bench/bench.cpp \
   bench/bench.h \
   bench/bench_bitcoin.cpp \
+  bench/bip324_ecdh.cpp \
+  bench/bip324_suite.cpp \
   bench/block_assemble.cpp \
   bench/ccoins_caching.cpp \
   bench/chacha20.cpp \
-  bench/chacha_poly_aead.cpp \
   bench/checkblock.cpp \
   bench/checkqueue.cpp \
   bench/crypto_hash.cpp \
@@ -43,6 +44,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/peer_eviction.cpp \
   bench/poly1305.cpp \
   bench/prevector.cpp \
+  bench/rfc8439.cpp \
   bench/rollingbloom.cpp \
   bench/rpc_blockchain.cpp \
   bench/rpc_mempool.cpp \

src/Makefile.test.include

@@ -256,12 +256,13 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/crypto.cpp \
  test/fuzz/crypto_aes256.cpp \
  test/fuzz/crypto_aes256cbc.cpp \
+ test/fuzz/crypto_bip324_suite.cpp \
  test/fuzz/crypto_chacha20.cpp \
- test/fuzz/crypto_chacha20_poly1305_aead.cpp \
  test/fuzz/crypto_common.cpp \
  test/fuzz/crypto_diff_fuzz_chacha20.cpp \
  test/fuzz/crypto_hkdf_hmac_sha256_l32.cpp \
  test/fuzz/crypto_poly1305.cpp \
+ test/fuzz/crypto_rfc8439.cpp \
  test/fuzz/cuckoocache.cpp \
  test/fuzz/decode_tx.cpp \
  test/fuzz/descriptor_parse.cpp \

src/bench/bip324_ecdh.cpp

@@ -0,0 +1,57 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <pubkey.h>
+#include <random.h>
+#include <secp256k1.h>
+#include <secp256k1_ellswift.h>
+
+#include <cstddef>
+
+CKey GetRandomKey()
+{
+    CKey key;
+    key.MakeNewKey(true);
+    return key;
+}
+
+int GetEll64(const CKey& key, unsigned char* ell64, secp256k1_context* ctx)
+{
+    std::array<unsigned char, 32> rnd32;
+    GetRandBytes(rnd32);
+    return secp256k1_ellswift_create(ctx, ell64, reinterpret_cast<const unsigned char*>(key.data()), rnd32.data());
+}
+
+static void BIP324_ECDH(benchmark::Bench& bench)
+{
+    ECC_Start();
+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+    assert(ctx != nullptr);
+    assert(secp256k1_context_randomize(ctx, nullptr));
+    auto our_key = GetRandomKey();
+    auto their_key = GetRandomKey();
+
+    unsigned char our_ell64[64], their_ell64[64];
+    if (!GetEll64(our_key, our_ell64, ctx)) {
+        assert(false);
+    }
+
+    if (!GetEll64(their_key, their_ell64, ctx)) {
+        assert(false);
+    }
+
+    bench.batch(1).unit("ecdh").run([&] {
+        assert(our_key.ComputeBIP324ECDHSecret({reinterpret_cast<std::byte*>(their_ell64), 64},
+                                               {reinterpret_cast<std::byte*>(our_ell64), 64},
+                                               true)
+                   .has_value());
+    });
+    secp256k1_context_destroy(ctx);
+    ECC_Stop();
+}
+
+BENCHMARK(BIP324_ECDH, benchmark::PriorityLevel::HIGH);

src/bench/bip324_suite.cpp

@@ -0,0 +1,116 @@
+// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <assert.h>
+#include <bench/bench.h>
+#include <crypto/bip324_suite.h>
+#include <crypto/rfc8439.h>
+#include <hash.h>
+
+#include <array>
+#include <cstddef>
+#include <vector>
+
+/* Number of bytes to process per iteration */
+static constexpr uint64_t BUFFER_SIZE_TINY = 64;
+static constexpr uint64_t BUFFER_SIZE_SMALL = 256;
+static constexpr uint64_t BUFFER_SIZE_LARGE = 1024 * 1024;
+
+static const std::vector<std::byte> zero_vec(BIP324_KEY_LEN, std::byte{0x00});
+
+static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bool include_decryption)
+{
+    BIP324Key zero_arr;
+    std::memcpy(zero_arr.data(), zero_vec.data(), BIP324_KEY_LEN);
+    BIP324CipherSuite enc{zero_arr, zero_arr};
+    BIP324CipherSuite dec{zero_arr, zero_arr};
+
+    auto packet_len = BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + contents_len + RFC8439_EXPANSION;
+
+    std::vector<std::byte> in(contents_len, std::byte{0x00});
+    std::vector<std::byte> out(packet_len, std::byte{0x00});
+
+    BIP324HeaderFlags flags{BIP324_NONE};
+
+    bench.batch(contents_len).unit("byte").run([&] {
+        // encrypt or decrypt the buffer with a static key
+        const bool crypt_ok_1 = enc.Crypt({}, in, out, flags, true);
+        assert(crypt_ok_1);
+
+        if (include_decryption) {
+            // if we decrypt, we need to decrypt the length first
+            std::array<std::byte, BIP324_LENGTH_FIELD_LEN> encrypted_pkt_len;
+            std::memcpy(encrypted_pkt_len.data(), out.data(), BIP324_LENGTH_FIELD_LEN);
+            (void)dec.DecryptLength(encrypted_pkt_len);
+            const bool crypt_ok_2 = dec.Crypt({}, {out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
+            assert(crypt_ok_2);
+        }
+    });
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, false);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, false);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, false);
+}
+
+static void BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, true);
+}
+
+static void BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, true);
+}
+
+static void BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, true);
+}
+
+// Add Hash() (dbl-sha256) bench for comparison
+
+static void HASH(benchmark::Bench& bench, size_t buffersize)
+{
+    uint8_t hash[CHash256::OUTPUT_SIZE];
+    std::vector<uint8_t> in(buffersize, 0);
+    bench.batch(in.size()).unit("byte").run([&] {
+        CHash256().Write(in).Finalize(hash);
+    });
+}
+
+static void HASH_64BYTES(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_TINY);
+}
+
+static void HASH_256BYTES(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_SMALL);
+}
+
+static void HASH_1MB(benchmark::Bench& bench)
+{
+    HASH(bench, BUFFER_SIZE_LARGE);
+}
+
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_64BYTES, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_256BYTES, benchmark::PriorityLevel::HIGH);
+BENCHMARK(HASH_1MB, benchmark::PriorityLevel::HIGH);