Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BIP324: Handshake prerequisites #23561

Closed
wants to merge 13 commits into from
Closed

Conversation

dhruv
Copy link
Contributor

@dhruv dhruv commented Nov 20, 2021

Depends on #25361 for some constants, and on bitcoin-core/secp256k1#1129 for ellswift integrated XDH but can be reviewed independently. Only the last 5 commits belong to this PR.

This PR adds xonly ECDH and HKDF key derivation code for BIP324. Unit, bench and fuzz tests are included.

The dependency tree for BIP324 PRs is here.

@DrahtBot
Copy link
Contributor

DrahtBot commented Nov 21, 2021

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type Reviewers
Concept ACK naumenkogs, PastaPastaPasta, theStack

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #27385 (net: extract Network and BIP155Network logic to node/network by jonatack)
  • #27294 (refactor: Move chain names to the util library by TheCharlatan)
  • #27254 (refactor: Extract util/fs from util/system by TheCharlatan)
  • #26684 (bench: add readblock benchmark by andrewtoth)
  • #25572 (refactor: Introduce EvictionManager and use it for the inbound eviction logic by dergoegge)
  • #25390 (sync: introduce a thread-safe generic container and use it to remove a bunch of "GlobalMutex"es by vasild)
  • #25268 (refactor: Introduce EvictionManager by dergoegge)
  • #23432 (BIP324: CKey encode/decode to elligator-swift by dhruv)
  • #23233 (BIP324: Add encrypted p2p transport {de}serializer by dhruv)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@naumenkogs
Copy link
Member

Concept ACK.
Moving forward with BIP324 is a good idea, and this code seems to not have any negative/unexpected side-effects.

@dhruv dhruv changed the title BIP324 handshake prerequisites BIP324: Handshake prerequisites Nov 23, 2021
src/key.cpp Outdated Show resolved Hide resolved
src/test/fuzz/key.cpp Outdated Show resolved Hide resolved

// Takes ownership of the ECDH secret and wipes the ephemeral secret once
// the derivation is complete.
explicit BIP324Keys(ECDHSecret&& ecdh_secret, const Span<uint8_t>& initiator_hdata, const Span<uint8_t>& responder_hdata);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: pass Spans by value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

src/util/bip324.cpp Outdated Show resolved Hide resolved
src/util/bip324.h Outdated Show resolved Hide resolved
@dhruv
Copy link
Contributor Author

dhruv commented Nov 25, 2021

Addressed review comments from @sipa. Ready for further review.

src/net.cpp Outdated Show resolved Hide resolved
src/net.cpp Show resolved Hide resolved
alirezaayande referenced this pull request Dec 7, 2021
This makes it harder for others to tamper with
our adjusted time.
@dhruv
Copy link
Contributor Author

dhruv commented Dec 9, 2021

Addressed comments; Rebased with master to incorporate #23413. I am still investigating CI failures which seem like a timeout on Cirrus CI but re-running hasn't helped (other recent open PRs seem to be seeing this error as well). Meanwhile, ready for further review.

@dhruv
Copy link
Contributor Author

dhruv commented Jan 22, 2022

Rebased against master. Ready for further review.

Copy link
Contributor

@PastaPastaPasta PastaPastaPasta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

concept ACK / light utACK. I did a high level review, and everything makes sense to me.

I do have 1 tiny nit

src/bench/ecdh.cpp Outdated Show resolved Hide resolved
@dhruv
Copy link
Contributor Author

dhruv commented Mar 11, 2022

Rebased. Ready for further review.

@dhruv
Copy link
Contributor Author

dhruv commented Mar 8, 2023

Rebased. Brought in changes from bitcoin-core/secp256k1#1129.

dhruv added 10 commits March 20, 2023 13:34
8034c67a48 Add doc/ellswift.md with ElligatorSwift explanation
e90aa4e62e Add ellswift testing to CI
131faedd8a Add ElligatorSwift ctime tests
198a04c058 Add tests for ElligatorSwift
9984bfe476 Add ElligatorSwift benchmarks
f053da3ab7 Add ellswift module implementing ElligatorSwift
76c64be237 Add functions to test if X coordinate is valid
aff948fca2 Add benchmark for key generation
5ed9314d6d Add exhaustive tests for ecmult_const_xonly
b69fe88d5e Add x-only ecmult_const version for x=n/d
427bc3c Merge bitcoin-core/secp256k1#1236: Update comment for secp256k1_modinv32_inv256
647f0a5 Update comment for secp256k1_modinv32_inv256
5658209 Merge bitcoin-core/secp256k1#1228: release cleanup: bump version after 0.3.0
28e63f7 release cleanup: bump version after 0.3.0

git-subtree-dir: src/secp256k1
git-subtree-split: 8034c67a48dc1334bc74ee4ba239111a23d9789e
@dhruv
Copy link
Contributor Author

dhruv commented Mar 21, 2023

Rebased.

@DrahtBot
Copy link
Contributor

DrahtBot commented Apr 3, 2023

🐙 This pull request conflicts with the target branch and needs rebase.

@fanquake
Copy link
Member

Closing this for now, as it's partly included in #27479.

@fanquake fanquake closed this Apr 18, 2023
@sipa sipa mentioned this pull request May 12, 2023
43 tasks
achow101 added a commit that referenced this pull request Jun 26, 2023
3168b08 Bench test for EllSwift ECDH (Pieter Wuille)
42d759f Bench tests for CKey->EllSwift (dhruv)
2e5a8a4 Fuzz test for Ellswift ECDH (dhruv)
c3ac9f5 Fuzz test for CKey->EllSwift->CPubKey creation/decoding (dhruv)
aae432a Unit test for ellswift creation/decoding roundtrip (dhruv)
eff72a0 Add ElligatorSwift key creation and ECDH logic (Pieter Wuille)
42239f8 Enable ellswift module in libsecp256k1 (dhruv)
901336e Squashed 'src/secp256k1/' changes from 4258c54..705ce7e (Pieter Wuille)

Pull request description:

  This replaces #23432 and part of #23561.

  This PR introduces all of the ElligatorSwift-related changes (libsecp256k1 updates, generation, decoding, ECDH, tests, fuzzing, benchmarks) needed for BIP324.

  ElligatorSwift is a special 64-byte encoding format for public keys introduced in libsecp256k1 in bitcoin-core/secp256k1#1129. It has the property that *every* 64-byte array is a valid encoding for some public key, and every key has approximately $2^{256}$ encodings. Furthermore, it is possible to efficiently generate a uniformly random encoding for a given public key or private key. This is used for the key exchange phase in BIP324, to achieve a byte stream that is entirely pseudorandom, even before the shared encryption key is established.

ACKs for top commit:
  instagibbs:
    reACK 3168b08
  achow101:
    ACK 3168b08
  theStack:
    re-ACK 3168b08

Tree-SHA512: 308ac3d33e9a2deecb65826cbf0390480a38de201918429c35c796f3421cdf94c5501d027a043ae8f012cfaa0584656da1de6393bfba3532ab4c20f9533f06a6
@bitcoin bitcoin locked and limited conversation to collaborators Apr 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
No open projects
Status: Needs review
Development

Successfully merging this pull request may close these issues.

8 participants