bitcoin-core
diff --git a/‎build_msvc/libsecp256k1/libsecp256k1.vcxproj
+1-1 b/‎build_msvc/libsecp256k1/libsecp256k1.vcxproj
+1-1
diff --git a/‎src/Makefile.bench.include
+2 b/‎src/Makefile.bench.include
+2
diff --git a/‎src/bench/bip324_ecdh.cpp
+51 b/‎src/bench/bip324_ecdh.cpp
+51
diff --git a/‎src/bench/ellswift.cpp
+31 b/‎src/bench/ellswift.cpp
+31
diff --git a/‎src/key.cpp
+37 b/‎src/key.cpp
+37
diff --git a/‎src/key.h
+27 b/‎src/key.h
+27
diff --git a/‎src/pubkey.cpp
+15 b/‎src/pubkey.cpp
+15
diff --git a/‎src/pubkey.h
+32 b/‎src/pubkey.h
+32
diff --git a/‎src/random.cpp
+6 b/‎src/random.cpp
+6
diff --git a/‎src/random.h
+3 b/‎src/random.h
+3
diff --git a/‎src/secp256k1/.cirrus.yml
+15-7 b/‎src/secp256k1/.cirrus.yml
+15-7
@@ -14,7 +14,7 @@
   </ItemGroup>
   <ItemDefinitionGroup>
     <ClCompile>
-      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;ENABLE_MODULE_ELLSWIFT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <UndefinePreprocessorDefinitions>USE_ASM_X86_64;%(UndefinePreprocessorDefinitions)</UndefinePreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\..\src\secp256k1;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DisableSpecificWarnings>4146;4244;4267;4334</DisableSpecificWarnings>
 
@@ -18,6 +18,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/bench.cpp \
   bench/bench.h \
   bench/bench_bitcoin.cpp \
+  bench/bip324_ecdh.cpp \
   bench/block_assemble.cpp \
   bench/ccoins_caching.cpp \
   bench/chacha20.cpp \
@@ -29,6 +30,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/data.h \
   bench/descriptors.cpp \
   bench/duplicate_inputs.cpp \
+  bench/ellswift.cpp \
   bench/examples.cpp \
   bench/gcs_filter.cpp \
   bench/hashpadding.cpp \
 
@@ -0,0 +1,51 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <pubkey.h>
+#include <random.h>
+#include <span.h>
+
+#include <array>
+#include <cstddef>
+
+static void BIP324_ECDH(benchmark::Bench& bench)
+{
+    ECC_Start();
+    FastRandomContext rng;
+
+    std::array<std::byte, 32> key_data;
+    std::array<std::byte, EllSwiftPubKey::size()> our_ellswift_data;
+    std::array<std::byte, EllSwiftPubKey::size()> their_ellswift_data;
+
+    rng.fillrand(key_data);
+    rng.fillrand(our_ellswift_data);
+    rng.fillrand(their_ellswift_data);
+
+    bench.batch(1).unit("ecdh").run([&] {
+        CKey key;
+        key.Set(UCharCast(key_data.data()), UCharCast(key_data.data()) + 32, true);
+        EllSwiftPubKey our_ellswift(our_ellswift_data);
+        EllSwiftPubKey their_ellswift(their_ellswift_data);
+
+        auto ret = key.ComputeBIP324ECDHSecret(their_ellswift, our_ellswift, true);
+
+        // To make sure that the computation is not the same on every iteration (ellswift decoding
+        // is variable-time), distribute bytes from the shared secret over the 3 inputs. The most
+        // important one is their_ellswift, because that one is actually decoded, so it's given most
+        // bytes. The data is copied into the middle, so that both halves are affected:
+        // - Copy 8 bytes from the resulting shared secret into middle of the private key.
+        std::copy(ret.begin(), ret.begin() + 8, key_data.begin() + 12);
+        // - Copy 8 bytes from the resulting shared secret into the middle of our ellswift key.
+        std::copy(ret.begin() + 8, ret.begin() + 16, our_ellswift_data.begin() + 28);
+        // - Copy 16 bytes from the resulting shared secret into the middle of their ellswift key.
+        std::copy(ret.begin() + 16, ret.end(), their_ellswift_data.begin() + 24);
+    });
+
+    ECC_Stop();
+}
+
+BENCHMARK(BIP324_ECDH, benchmark::PriorityLevel::HIGH);
@@ -0,0 +1,31 @@
+// Copyright (c) 2022-2023 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <random.h>
+
+static void EllSwiftCreate(benchmark::Bench& bench)
+{
+    ECC_Start();
+
+    CKey key;
+    key.MakeNewKey(true);
+
+    uint256 entropy = GetRandHash();
+
+    bench.batch(1).unit("pubkey").run([&] {
+        auto ret = key.EllSwiftCreate(AsBytes(Span{entropy}));
+        /* Use the first 32 bytes of the ellswift encoded public key as next private key. */
+        key.Set(UCharCast(ret.data()), UCharCast(ret.data()) + 32, true);
+        assert(key.IsValid());
+        /* Use the last 32 bytes of the ellswift encoded public key as next entropy. */
+        std::copy(ret.begin() + 32, ret.begin() + 64, AsBytePtr(entropy.data()));
+    });
+
+    ECC_Stop();
+}
+
+BENCHMARK(EllSwiftCreate, benchmark::PriorityLevel::HIGH);
@@ -11,6 +11,7 @@
 #include <random.h>
 
 #include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
@@ -331,6 +332,42 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
     return ret;
 }
 
+EllSwiftPubKey CKey::EllSwiftCreate(Span<const std::byte> ent32) const
+{
+    assert(fValid);
+    assert(ent32.size() == 32);
+    std::array<std::byte, EllSwiftPubKey::size()> encoded_pubkey;
+
+    auto success = secp256k1_ellswift_create(secp256k1_context_sign,
+                                             UCharCast(encoded_pubkey.data()),
+                                             keydata.data(),
+                                             UCharCast(ent32.data()));
+
+    // Should always succeed for valid keys (asserted above).
+    assert(success);
+    return {encoded_pubkey};
+}
+
+ECDHSecret CKey::ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const
+{
+    assert(fValid);
+
+    ECDHSecret output;
+    // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs
+    // accordingly:
+    bool success = secp256k1_ellswift_xdh(secp256k1_context_sign,
+                                          UCharCast(output.data()),
+                                          UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()),
+                                          UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()),
+                                          keydata.data(),
+                                          initiating ? 0 : 1,
+                                          secp256k1_ellswift_xdh_hash_function_bip324,
+                                          nullptr);
+    // Should always succeed for valid keys (assert above).
+    assert(success);
+    return output;
+}
+
 bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const {
     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     out.nDepth = nDepth + 1;
 
@@ -22,6 +22,12 @@
  */
 typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
 
+/** Size of ECDH shared secrets. */
+constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE;
+
+// Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes)
+using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>;
+
 /** An encapsulated private key. */
 class CKey
 {
@@ -156,6 +162,27 @@ class CKey
 
     //! Load private key and check that public key matches.
     bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
+
+    /** Create an ellswift-encoded public key for this key, with specified entropy.
+     *
+     *  entropy must be a 32-byte span with additional entropy to use in the encoding. Every
+     *  public key has ~2^256 different encodings, and this function will deterministically pick
+     *  one of them, based on entropy. Note that even without truly random entropy, the
+     *  resulting encoding will be indistinguishable from uniform to any adversary who does not
+     *  know the private key (because the private key itself is always used as entropy as well).
+     */
+    EllSwiftPubKey EllSwiftCreate(Span<const std::byte> entropy) const;
+
+    /** Compute a BIP324-style ECDH shared secret.
+     *
+     *  - their_ellswift: EllSwiftPubKey that was received from the other side.
+     *  - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated
+     *                  from *this using EllSwiftCreate()).
+     *  - initiating: whether we are the initiating party (true) or responding party (false).
+     */
+    ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift,
+                                       const EllSwiftPubKey& our_ellswift,
+                                       bool initiating) const;
 };
 
 struct CExtKey {
 
@@ -7,6 +7,7 @@
 
 #include <hash.h>
 #include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
@@ -335,6 +336,20 @@ bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChi
     return true;
 }
 
+CPubKey EllSwiftPubKey::Decode() const
+{
+    secp256k1_pubkey pubkey;
+    secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));
+
+    size_t sz = CPubKey::COMPRESSED_SIZE;
+    std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;
+
+    secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
+    assert(sz == vch_bytes.size());
+
+    return CPubKey{vch_bytes.begin(), vch_bytes.end()};
+}
+
 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
     code[0] = nDepth;
     memcpy(code+1, vchFingerprint, 4);
 
@@ -291,6 +291,38 @@ class XOnlyPubKey
     SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); }
 };
 
+/** An ElligatorSwift-encoded public key. */
+struct EllSwiftPubKey
+{
+private:
+    static constexpr size_t SIZE = 64;
+    std::array<std::byte, SIZE> m_pubkey;
+
+public:
+    /** Construct a new ellswift public key from a given serialization. */
+    EllSwiftPubKey(const std::array<std::byte, SIZE>& ellswift) :
+        m_pubkey(ellswift) {}
+
+    /** Decode to normal compressed CPubKey (for debugging purposes). */
+    CPubKey Decode() const;
+
+    // Read-only access for serialization.
+    const std::byte* data() const { return m_pubkey.data(); }
+    static constexpr size_t size() { return SIZE; }
+    auto begin() const { return m_pubkey.cbegin(); }
+    auto end() const { return m_pubkey.cend(); }
+
+    bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
+    {
+        return a.m_pubkey == b.m_pubkey;
+    }
+
+    bool friend operator!=(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
+    {
+        return a.m_pubkey != b.m_pubkey;
+    }
+};
+
 struct CExtPubKey {
     unsigned char version[4];
     unsigned char nDepth;
 
@@ -599,6 +599,12 @@ std::vector<unsigned char> FastRandomContext::randbytes(size_t len)
     return ret;
 }
 
+void FastRandomContext::fillrand(Span<std::byte> output)
+{
+    if (requires_seed) RandomSeed();
+    rng.Keystream(UCharCast(output.data()), output.size());
+}
+
 FastRandomContext::FastRandomContext(const uint256& seed) noexcept : requires_seed(false), bitbuf_size(0)
 {
     rng.SetKey32(seed.begin());
 
@@ -213,6 +213,9 @@ class FastRandomContext
     /** Generate random bytes. */
     std::vector<unsigned char> randbytes(size_t len);
 
+    /** Fill a byte Span with random bytes. */
+    void fillrand(Span<std::byte> output);
+
     /** Generate a random 32-bit integer. */
     uint32_t rand32() noexcept { return randbits(32); }
 
 
@@ -21,6 +21,7 @@ env:
   ECDH: no
   RECOVERY: no
   SCHNORRSIG: no
+  ELLSWIFT: no
   ### test options
   SECP256K1_TEST_ITERS:
   BENCH: yes
@@ -74,12 +75,12 @@ task:
   << : *LINUX_CONTAINER
   matrix: &ENV_MATRIX
     - env: {WIDEMUL:  int64,  RECOVERY: yes}
-    - env: {WIDEMUL:  int64,                 ECDH: yes, SCHNORRSIG: yes}
+    - env: {WIDEMUL:  int64,                 ECDH: yes, SCHNORRSIG: yes, ELLSWIFT: yes}
     - env: {WIDEMUL: int128}
-    - env: {WIDEMUL: int128_struct}
-    - env: {WIDEMUL: int128,  RECOVERY: yes,            SCHNORRSIG: yes}
+    - env: {WIDEMUL: int128_struct,                                      ELLSWIFT: yes}
+    - env: {WIDEMUL: int128,  RECOVERY: yes,            SCHNORRSIG: yes, ELLSWIFT: yes}
     - env: {WIDEMUL: int128,                 ECDH: yes, SCHNORRSIG: yes}
-    - env: {WIDEMUL: int128,  ASM: x86_64}
+    - env: {WIDEMUL: int128,  ASM: x86_64                              , ELLSWIFT: yes}
     - env: {                  RECOVERY: yes,            SCHNORRSIG: yes}
     - env: {CTIMETESTS: no,    RECOVERY: yes, ECDH: yes, SCHNORRSIG: yes, CPPFLAGS: -DVERIFY}
     - env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETESTS: no, BENCH: no}
@@ -154,6 +155,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -173,10 +175,11 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   matrix:
     - env: {}
-    - env: {EXPERIMENTAL: yes, ASM: arm}
+    - env: {EXPERIMENTAL: yes, ASM: arm32}
   << : *MERGE_BASE
   test_script:
     - ./ci/cirrus.sh
@@ -193,6 +196,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -210,6 +214,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -247,6 +252,7 @@ task:
     RECOVERY: yes
     EXPERIMENTAL: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
     # Use a MinGW-w64 host to tell ./configure we're building for Windows.
     # This will detect some MinGW-w64 tools but then make will need only
@@ -286,6 +292,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   matrix:
     - name: "Valgrind (memcheck)"
@@ -361,6 +368,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
   << : *MERGE_BASE
   test_script:
     - ./ci/cirrus.sh
@@ -397,13 +405,13 @@ task:
     - PowerShell -NoLogo -Command if ($env:CIRRUS_PR -ne $null) { git fetch $env:CIRRUS_REPO_CLONE_URL pull/$env:CIRRUS_PR/merge; git reset --hard FETCH_HEAD; }
   configure_script:
     - '%x64_NATIVE_TOOLS%'
-    - cmake -G "Visual Studio 17 2022" -A x64 -S . -B build -DSECP256K1_ENABLE_MODULE_RECOVERY=ON -DSECP256K1_BUILD_EXAMPLES=ON
+    - cmake -E env CFLAGS="/WX" cmake -G "Visual Studio 17 2022" -A x64 -S . -B build -DSECP256K1_ENABLE_MODULE_RECOVERY=ON -DSECP256K1_BUILD_EXAMPLES=ON
   build_script:
     - '%x64_NATIVE_TOOLS%'
     - cmake --build build --config RelWithDebInfo -- -property:UseMultiToolTask=true;CL_MPcount=5
   check_script:
     - '%x64_NATIVE_TOOLS%'
-    - ctest --test-dir build -j 5
+    - ctest -C RelWithDebInfo --test-dir build -j 5
     - build\src\RelWithDebInfo\bench_ecmult.exe
     - build\src\RelWithDebInfo\bench_internal.exe
     - build\src\RelWithDebInfo\bench.exe
Original file line number	Diff line number	Diff line change
`@@ -599,6 +599,12 @@ std::vector<unsigned char> FastRandomContext::randbytes(size_t len)`
`599`	`599`	`return ret;`
`600`	`600`	`}`
`601`	`601`
	`602`	`+void FastRandomContext::fillrand(Span<std::byte> output)`
	`603`	`+{`
	`604`	`+ if (requires_seed) RandomSeed();`
	`605`	`+ rng.Keystream(UCharCast(output.data()), output.size());`
	`606`	`+}`
	`607`	`+`
`602`	`608`	`FastRandomContext::FastRandomContext(const uint256& seed) noexcept : requires_seed(false), bitbuf_size(0)`
`603`	`609`	`{`
`604`	`610`	`rng.SetKey32(seed.begin());`