BIP324 tracking issue

[sipa]

This issue will be updated to reflect the current state of BIP324 integration.

PRs ready for review:

• net: enable v2transport by default #29347

Overall plan:

• ElligatorSwift integration in Bitcoin Core (formerly 23432, 23561)
  • Dependency: Jacobi symbol support in libsecp256k1: Native jacobi symbol algorithm bitcoin-core/secp256k1#979
  • Dependency: ElligatorSwift support in libsecp256k1: ElligatorSwift + integrated x-only DH bitcoin-core/secp256k1#1129
  • Dependency: update libsecp256k1 subtree: currently part of 27479.
  • Main feature: BIP324: ElligatorSwift integrations #27479
• Cipher suite implementation (formerly 25361):
  • Dependency: support for not wasting ChaCha20 stream bytes: Reduce wasted pseudorandom bytes in ChaCha20 + various improvements #26153
  • Dependency: support for RFC8439 variant of ChaCha20: Add support for RFC8439 variant of ChaCha20 #27985
  • Dependency: support for incremental Poly1305 computation: Make poly1305 support incremental computation + modernize #27993
  • Main feature: BIP324 ciphersuite #28008
  • Follow-up: crypto: BIP324 ciphersuite follow-up #28267
  • Follow-up: Add fuzz test for FSChaCha20Poly1305, AEADChacha20Poly1305 #28263
• P2P v2 connection support (formerly 25361, 23233, 24545):
  • Dependency: P2P transport abstraction: net: transport abstraction #28165
  • Main feature: BIP324 connection support #28196
  • Follow up: Follow-up to BIP324 connection support #28433
  • Bugfix: tests: fix incorrect assumption in v2transport_test #28489
  • Follow up: BIP change: net: Drop v2 garbage authentication packet #28525
  • Follow up: BIP change: net: raise V1_PREFIX_LEN from 12 to 16 #28577
  • Potential follow-up: decide how to report handshake/decoy bytes in per-message stats: BIP324 integration #28331 (comment)
• P2P v2 signalling/integration (formerly 24545):
  • Main feature: BIP324 integration #28331
  • Follow up test: test: BIP324: add checks for v1 prefix matching / wrong network magic detection #28588
  • Follow up: make all functional tests compatible with v2: test: Make existing functional tests compatible with --v2transport #28805
  • Potential follow-up: integrated connect/add/reconnect logic: BIP324 integration #28331 (comment)
  • Potential follow-up: reuse CNode objects on reconnect: BIP324 integration #28331 (comment)
  • Potential follow-up: use V2Transport for everything, dropping abstract class: BIP324 integration #28331 (comment)
  • Enable V2 by default: net: enable v2transport by default #29347
• BIP324 functional tests:
  • Dependency: ElligatorSwift support in functional tests: test: add python implementation of Elligator swift #24005
  • Dependency: Field element support in functional tests: Introduce secp256k1 module with field and group classes to test framework #26222
  • Dependency: Python cryptography test: python cryptography required for BIP 324 functional tests #28374
  • Main feature: test/BIP324: functional tests for v2 P2P encryption #24748
• P2P_V2 service flag support in DNS seeder:
  • Main feature: Add NODE_P2P_V2 to filters sipa/bitcoin-seeder#102

Older stuff:

• Prehistory:

  • CKey negation (no longer needed): Add HKDF_HMAC256_L32 and method to negate a private key #14047
  • ChaCha20 encryption: Add ChaCha20 encryption option (XOR) #15512
  • Poly1305 authentication: Add Poly1305 implementation #15519
  • Old ChaCha20Poly1305@Bitcoin cipher: Add ChaCha20Poly1305@Bitcoin AEAD #15649
  • Preparing for multiple transport layers:
    • p2p: Refactor network message deserialization  #16202
    • Refactor message transport packaging #16562
  • Fuzz tests for various components:
    • tests: Add fuzzing harness for V1TransportDeserializer (P2P transport) #17771
    • tests: Add fuzzing harness for AES{CBC,}256{Encrypt,Decrypt}, poly1305_auth, CHKDF_HMAC_SHA256_L32, ChaCha20 and ChaCha20Poly1305AEAD #19296
    • [fuzz] Improve transport deserialization fuzz test coverage #22029
    • fuzz: Differential fuzzing to compare Bitcoin Core's and D. J. Bernstein's implementation of ChaCha20 #22704
    • fuzz: follow up for #22704 #23806
  • Miscellaneous fixes:
    • crypto: Fix K1/K2 use in ChaCha20-Poly1305 AEAD #22331
    • crypto: Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD #23271
  • ChaCha20 performance: Unroll the ChaCha20 inner loop for performance #24946

• Superseded:

  • Add p2p layer encryption with ECDH/ChaCha20Poly1305 #14032
  • net: Refactor message parsing (CNetMessage), adds flexibility #14046
  • Enable libsecp256k1 ecdh module, add ECDH function to CKey #14049
  • Add chacha20/poly1305 and chacha20poly1305_AEAD from openssh #14050
  • Add BIP324 encrypted p2p transport de-/serializer (only used in tests) #18242
  • Alter the ChaCha20Poly1305@Bitcoin AEAD to the new specification #20962
  • BIP324: Add encrypted p2p transport {de}serializer #23233
  • [Fuzz] Poly1305 differential fuzzing against Floodyberry's implementation #23322
  • BIP324: CKey encode/decode to elligator-swift #23432
  • fuzz: Differential fuzzing for ChaCha20Forward4064-Poly1305@bitcoin cipher suite #23441
  • rpc: p2p_v2 rpc argument for addnode #23900
  • BIP324: Handshake prerequisites #23561
  • BIP324: Enable v2 P2P encrypted transport #24545
  • BIP324: Cipher suite #25361

[fanquake]

Review comments from #28008 that could be incorporated into future changes:

• BIP324 ciphersuite #28008 (review)
• BIP324 ciphersuite #28008 (comment)
• BIP324 ciphersuite #28008 (comment)
• BIP324 ciphersuite #28008 (comment)
• BIP324 ciphersuite #28008 (comment)
• BIP324 ciphersuite #28008 (comment)