bitcoinrb 1.4.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 544382f715d87eb79e185e310c827b2349c0af75c1bd89887a653510e226cd1f
-  data.tar.gz: c807d0965da7c06f71b248d5a543ccfff2375d702a6ab4db70698c4be245720d
+  metadata.gz: f2697b9fbcca175453c80fc67d70466845c7141e6b9e9f193b5825d34bd7ffa3
+  data.tar.gz: 61a5c26a7cfaf7abcc7c692386ff08091ea0249c9e8ea9ccb4f3231049319f47
 SHA512:
-  metadata.gz: 22ea36535fb045c35d28809f87c60f4451e2d37801e7a231772068c268d6e58cdeb086456ffc649091a5a28a82815af77f6d35ef286a7a101e53fa3f97e55a9a
-  data.tar.gz: 7ca7b637b77bdde57d2af3faf056184397b1d87fd98dd5c46933dfb40e716d5bf8ef56890691771b97d8e66dde1c9684cb1d03e9f74f99d4f8b5bbaeb6a37e2c
+  metadata.gz: 40574931606fc1ff074f638bda7042f86c0225a5661f37622971e0b9502e039c5010d31663c34846c80f0bff2d25a02122eb4773e30a6fadad72bb170260b114
+  data.tar.gz: aaefa2672459d1d133191aecf8cbe0e8391210647e109c6e5205e349e264ad2303b25c36d4812daf5f5f0e88fb15cc4b0bfc54653ba0a2b4a8bac9fd5fd9b5d6

data/.github/workflows/ruby.yml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.0', '3.1', '3.2']
+        ruby-version: ['3.0', '3.1', '3.2', '3.3']
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Install leveldb
       run: sudo apt-get install libleveldb-dev
     - name: Set up Ruby

data/.ruby-version

@@ -1 +1 @@
-ruby-3.2.0
+ruby-3.3.0

data/README.md

@@ -1,6 +1,5 @@
 # Bitcoinrb [![Build Status](https://github.com/chaintope/bitcoinrb/actions/workflows/ruby.yml/badge.svg?branch=master)](https://github.com/chaintope/bitcoinrb/actions/workflows/ruby.yml) [![Gem Version](https://badge.fury.io/rb/bitcoinrb.svg)](https://badge.fury.io/rb/bitcoinrb) [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE) <img src="http://segwit.co/static/public/images/logo.png" width="100">
 
-
 Bitcoinrb is a Ruby implementation of Bitcoin Protocol.
 
 NOTE: Bitcoinrb work in progress, and there is a possibility of incompatible change. 
@@ -18,10 +17,9 @@ Bitcoinrb supports following feature:
 * bech32([BIP-173](https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki)) and bech32m([BIP-350](https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki)) address support
 * [BIP-174](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki) PSBT(Partially Signed Bitcoin Transaction) support
 * [BIP-85](https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki) Deterministic Entropy From BIP32 Keychains support by `Bitcoin::BIP85Entropy` class.
-* Schnorr signature([BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki))  
-* Taproot consensus([BIP-341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki) and [BIP-342](https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki))  
-* [WIP] SPV node
-* [WIP] 0ff-chain protocol
+* Schnorr signature([BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki))
+* Taproot consensus([BIP-341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki) and [BIP-342](https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki))
+* [Output script descriptor](https://github.com/chaintope/bitcoinrb/wiki/Output-Script-Descriptor) ([BIP-380](https://github.com/bitcoin/bips/blob/master/bip-0380.mediawiki), [BIP-381](https://github.com/bitcoin/bips/blob/master/bip-0381.mediawiki), [BIP-382](https://github.com/bitcoin/bips/blob/master/bip-0382.mediawiki), [BIP-383](https://github.com/bitcoin/bips/blob/master/bip-0383.mediawiki), [BIP-384](https://github.com/bitcoin/bips/blob/master/bip-0384.mediawiki), [BIP-385](https://github.com/bitcoin/bips/blob/master/bip-0385.mediawiki), [BIP-386](https://github.com/bitcoin/bips/blob/master/bip-0386.mediawiki), [BIP-387](https://github.com/bitcoin/bips/blob/master/bip-0387.mediawiki))
 
 ## Requirements
 
@@ -105,6 +103,19 @@ Bitcoin.chain_params = :signet
 
 This parameter is described in https://github.com/chaintope/bitcoinrb/blob/master/lib/bitcoin/chainparams/signet.yml.
 
+## Test
+
+This library can use the [libsecp256k1](https://github.com/bitcoin-core/secp256k1/) dynamic library.
+Therefore, some tests require this library. In a Linux environment, `spec/lib/libsecp256k1.so` is already located,
+so there is no need to do anything. If you want to test in another environment,
+please set the library path in the environment variable `TEST_LIBSECP256K1_PATH`.
+
+In case the supplied linux `spec/lib/libsecp256k1.so` is not working (architecture), you might have to compile it yourself.
+Since if available in the repository, it might not be compiled using the `./configure --enable-module-recovery` option.
+Then `TEST_LIBSECP256K1_PATH=/path/to/secp256k1/.libs/libsecp256k1.so rspec` can be used.
+
+The libsecp256k1 library currently tested for operation with this library is `v0.4.0`.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bitcoinrb. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/bitcoinrb.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'ecdsa_ext', '~> 0.5.0'
+  spec.add_runtime_dependency 'ecdsa_ext', '~> 0.5.1'
   spec.add_runtime_dependency 'eventmachine'
   spec.add_runtime_dependency 'murmurhash3', '~> 0.1.7'
   spec.add_runtime_dependency 'bech32', '>= 1.3.0'
@@ -32,7 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'iniparse'
   spec.add_runtime_dependency 'siphash'
   spec.add_runtime_dependency 'json_pure', '>= 2.3.1'
-  spec.add_runtime_dependency 'bip-schnorr', '>= 0.5.0'
+  spec.add_runtime_dependency 'bip-schnorr', '>= 0.7.0'
   spec.add_runtime_dependency 'base32', '>= 0.3.4'
 
   # for options

data/lib/bitcoin/bip324/cipher.rb

@@ -0,0 +1,113 @@
+module Bitcoin
+  module BIP324
+    # The BIP324 packet cipher, encapsulating its key derivation, stream cipher, and AEAD.
+    class Cipher
+      include Bitcoin::Util
+
+      HEADER = [1 << 7].pack('C')
+      HEADER_LEN = 1
+      LENGTH_LEN = 3
+      EXPANSION = LENGTH_LEN + HEADER_LEN + 16
+
+      attr_reader :key
+      attr_reader :our_pubkey
+
+      attr_accessor :session_id
+      attr_accessor :send_garbage_terminator
+      attr_accessor :recv_garbage_terminator
+      attr_accessor :send_l_cipher
+      attr_accessor :send_p_cipher
+      attr_accessor :recv_l_cipher
+      attr_accessor :recv_p_cipher
+
+      # Constructor
+      # @param [Bitcoin::Key] key Private key.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] our_pubkey Ellswift public key for testing.
+      # @raise ArgumentError
+      def initialize(key, our_pubkey = nil)
+        raise ArgumentError, "key must be Bitcoin::Key" unless key.is_a?(Bitcoin::Key)
+        raise ArgumentError, "our_pubkey must be Bitcoin::BIP324::EllSwiftPubkey" if our_pubkey && !our_pubkey.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+        @our_pubkey = our_pubkey ? our_pubkey : key.create_ell_pubkey
+        @key = key
+      end
+
+      # Setup when the other side's public key is received.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] their_pubkey
+      # @param [Boolean] initiator Set true if we are the initiator establishing the v2 P2P connection.
+      # @param [Boolean] self_decrypt only for testing, and swaps encryption/decryption keys, so that encryption
+      # and decryption can be tested without knowing the other side's private key.
+      def setup(their_pubkey, initiator, self_decrypt = false)
+        salt = 'bitcoin_v2_shared_secret' + Bitcoin.chain_params.magic_head.htb
+        ecdh_secret = BIP324.v2_ecdh(key.priv_key, their_pubkey, our_pubkey, initiator).htb
+        terminator = hkdf_sha256(ecdh_secret, salt, 'garbage_terminators')
+        side = initiator != self_decrypt
+        if side
+          self.send_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'initiator_L'))
+          self.send_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'initiator_P'))
+          self.recv_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'responder_L'))
+          self.recv_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'responder_P'))
+        else
+          self.recv_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'initiator_L'))
+          self.recv_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'initiator_P'))
+          self.send_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'responder_L'))
+          self.send_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'responder_P'))
+        end
+        if initiator
+          self.send_garbage_terminator = terminator[0...16].bth
+          self.recv_garbage_terminator = terminator[16..-1].bth
+        else
+          self.recv_garbage_terminator = terminator[0...16].bth
+          self.send_garbage_terminator = terminator[16..-1].bth
+        end
+        self.session_id = hkdf_sha256(ecdh_secret, salt, 'session_id').bth
+      end
+
+      # Encrypt a packet. Only after setup.
+      # @param [String] contents Packet with binary format.
+      # @param [String] aad AAD
+      # @param [Boolean] ignore Whether contains ignore bit or not.
+      # @raise Bitcoin::BIP324::TooLargeContent
+      def encrypt(contents, aad: '', ignore: false)
+        raise Bitcoin::BIP324::TooLargeContent unless contents.bytesize <= (2**24 - 1)
+
+        # encrypt length
+        len = Array.new(3)
+        len[0] = contents.bytesize & 0xff
+        len[1] = (contents.bytesize >> 8) & 0xff
+        len[2] = (contents.bytesize >> 16) & 0xff
+        enc_plaintext_len = send_l_cipher.encrypt(len.pack('C*'))
+
+        # encrypt contents
+        header = ignore ? HEADER : "00".htb
+        plaintext = header + contents
+        aead_ciphertext = send_p_cipher.encrypt(aad, plaintext)
+        enc_plaintext_len + aead_ciphertext
+      end
+
+      # Decrypt a packet. Only after setup.
+      # @param [String] input Packet to be decrypt.
+      # @param [String] aad AAD
+      # @param [Boolean] ignore Whether contains ignore bit or not.
+      # @return [String] Plaintext
+      # @raise Bitcoin::BIP324::InvalidPaketLength
+      def decrypt(input, aad: '', ignore: false)
+        len = decrypt_length(input[0...Bitcoin::BIP324::Cipher::LENGTH_LEN])
+        raise Bitcoin::BIP324::InvalidPaketLength unless input.bytesize == len + EXPANSION
+        recv_p_cipher.decrypt(aad, input[Bitcoin::BIP324::Cipher::LENGTH_LEN..-1])
+      end
+
+      private
+
+      # Decrypt the length of a packet. Only after setup.
+      # @param [String] input Length packet with binary format.
+      # @return [Integer] length
+      # @raise Bitcoin::BIP324::InvalidPaketLength
+      def decrypt_length(input)
+        raise Bitcoin::BIP324::InvalidPaketLength unless input.bytesize == LENGTH_LEN
+        ret = recv_l_cipher.decrypt(input)
+        b0, b1, b2 = ret.unpack('CCC')
+        b0 + (b1 << 8) + (b2 << 16)
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/ell_swift_pubkey.rb

@@ -0,0 +1,42 @@
+module Bitcoin
+  module BIP324
+    # An ElligatorSwift-encoded public key.
+    class EllSwiftPubkey
+      include Schnorr::Util
+
+      SIZE = 64
+
+      attr_reader :key
+
+      # Constructor
+      # @param [String] key 64 bytes of key data.
+      # @raise Bitcoin::BIP324::InvalidEllSwiftKey If key is invalid.
+      def initialize(key)
+        @key = hex2bin(key)
+        raise Bitcoin::BIP324::InvalidEllSwiftKey, 'key must be 64 bytes.' unless @key.bytesize == SIZE
+      end
+
+      # Decode to public key.
+      # @return [Bitcoin::Key] Decoded public key.
+      def decode
+        if Bitcoin.secp_impl.is_a?(Bitcoin::Secp256k1::Native)
+          pubkey = Bitcoin.secp_impl.ellswift_decode(key)
+          Bitcoin::Key.new(pubkey: pubkey, key_type: Bitcoin::Key::TYPES[:compressed])
+        else
+          u = key[0...32].bth
+          t = key[32..-1].bth
+          x = BIP324.xswiftec(u, t)
+          Bitcoin::Key.new(pubkey: "03#{x}")
+        end
+      end
+
+      # Check whether same public key or not?
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] other
+      # @return [Boolean]
+      def ==(other)
+        return false unless other.is_a?(EllSwiftPubkey)
+        key == other.key
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/fs_chacha20.rb

@@ -0,0 +1,132 @@
+module Bitcoin
+  module BIP324
+
+    module ChaCha20
+      module_function
+
+      INDICES = [
+        [0, 4, 8, 12], [1, 5, 9, 13], [2, 6, 10, 14], [3, 7, 11, 15],
+        [0, 5, 10, 15], [1, 6, 11, 12], [2, 7, 8, 13], [3, 4, 9, 14]
+      ]
+
+      CONSTANTS = [0x61707865, 0x3320646e, 0x79622d32, 0x6b206574]
+
+      # Rotate the 32-bit value v left by bits bits.
+      # @param [Integer] v
+      # @param [Integer] bits
+      # @return [Integer]
+      def rotl32(v, bits)
+        raise Bitcoin::BIP324::Error, "v must be integer" unless v.is_a?(Integer)
+        raise Bitcoin::BIP324::Error, "bits must be integer" unless bits.is_a?(Integer)
+        ((v << bits) & 0xffffffff) | (v >> (32 - bits))
+      end
+
+      # Apply a ChaCha20 double round to 16-element state array +s+.
+      # @param [Array[Integer]] s
+      # @return
+      def double_round(s)
+        raise Bitcoin::BIP324::Error, "s must be Array" unless s.is_a?(Array)
+        INDICES.each do |a, b, c, d|
+          s[a] = (s[a] + s[b]) & 0xffffffff
+          s[d] = rotl32(s[d] ^ s[a], 16)
+          s[c] = (s[c] + s[d]) & 0xffffffff
+          s[b] = rotl32(s[b] ^ s[c], 12)
+          s[a] = (s[a] + s[b]) & 0xffffffff
+          s[d] = rotl32(s[d] ^ s[a], 8)
+          s[c] = (s[c] + s[d]) & 0xffffffff
+          s[b] = rotl32(s[b] ^ s[c], 7)
+        end
+        s
+      end
+
+      # Compute the 64-byte output of the ChaCha20 block function.
+      # @param [String] key 32-bytes key with binary format.
+      # @param [String] nonce 12-byte nonce with binary format.
+      # @param [Integer] count 32-bit integer counter.
+      # @return [String] 64-byte output.
+      def block(key, nonce, count)
+        raise Bitcoin::BIP324::Error, "key must be 32 byte string" if !key.is_a?(String) || key.bytesize != 32
+        raise Bitcoin::BIP324::Error, "nonce must be 12 byte string" if !nonce.is_a?(String) || nonce.bytesize != 12
+        raise Bitcoin::BIP324::Error, "count must be integer" unless count.is_a?(Integer)
+        # Initialize state
+        init = Array.new(16, 0)
+        4.times {|i| init[i] = CONSTANTS[i]}
+        key = key.unpack("V*")
+        8.times {|i| init[4 + i] = key[i]}
+        init[12] = count
+        nonce = nonce.unpack("V*")
+        3.times {|i| init[13 + i] = nonce[i]}
+        # Perform 20 rounds
+        state = init.dup
+        10.times do
+          state = double_round(state)
+        end
+        # Add initial values back into state.
+        16.times do |i|
+          state[i] = (state[i] + init[i]) & 0xffffffff
+        end
+        state.pack("V16")
+      end
+    end
+
+    # Rekeying wrapper stream cipher around ChaCha20.
+    class FSChaCha20
+      attr_accessor :key
+      attr_reader :rekey_interval
+      attr_accessor :chunk_counter
+      attr_accessor :block_counter
+      attr_accessor :key_stream
+
+      def initialize(initial_key, rekey_interval = BIP324::REKEY_INTERVAL)
+        @block_counter = 0
+        @chunk_counter = 0
+        @key = initial_key
+        @rekey_interval = rekey_interval
+        @key_stream = ''
+      end
+
+      # Encrypt a chunk
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String] Encrypted data with binary format.
+      def encrypt(chunk)
+        crypt(chunk)
+      end
+
+      # Decrypt a chunk
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String] Decrypted data with binary format.
+      def decrypt(chunk)
+        crypt(chunk)
+      end
+
+      private
+
+      def key_stream_bytes(n_bytes)
+        while key_stream.bytesize < n_bytes
+          nonce = [0, (chunk_counter / REKEY_INTERVAL)].pack("VQ<")
+          self.key_stream << ChaCha20.block(key, nonce, block_counter)
+          self.block_counter += 1
+        end
+        ret = self.key_stream[0...n_bytes]
+        self.key_stream = self.key_stream[n_bytes..-1]
+        ret
+      end
+
+      # Encrypt or decrypt a chunk.
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String]
+      def crypt(chunk)
+        ks = key_stream_bytes(chunk.bytesize)
+        ret = chunk.unpack("C*").zip(ks.unpack("C*")).map do |c, k|
+          c ^ k
+        end.pack("C*")
+        if (self.chunk_counter + 1) % rekey_interval == 0
+          self.key = key_stream_bytes(32)
+          self.block_counter = 0
+        end
+        self.chunk_counter += 1
+        ret
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/fs_chacha_poly1305.rb

@@ -0,0 +1,129 @@
+module Bitcoin
+  module BIP324
+    # Class representing a running poly1305 computation.
+    class Poly1305
+
+      MODULUS = 2**130 - 5
+      TAG_LEN = 16
+
+      attr_reader :r
+      attr_reader :s
+      attr_accessor :acc
+
+      # Constructor
+      #
+      def initialize(key)
+        @r = key[0...16].reverse.bti & 0xffffffc0ffffffc0ffffffc0fffffff
+        @s = key[16..-1].reverse.bti
+        @acc = 0
+      end
+
+      # Add a message of any length. Input so far must be a multiple of 16 bytes.
+      # @param [String] msg A message with binary format.
+      # @return [Poly1305] self
+      def add(msg, length: nil, padding: false)
+        len = length ? length : msg.bytesize
+        ((len + 15) / 16).times do |i|
+          chunk = msg[(i * 16)...(i * 16 + [16, len - i * 16].min)]
+          val = chunk.reverse.bti + 256**(padding ? 16 : chunk.bytesize)
+          self.acc = r * (acc + val) % MODULUS
+        end
+        self
+      end
+
+      # Compute the poly1305 tag.
+      # @return Poly1305 tag wit binary format.
+      def tag
+        ECDSA::Format::IntegerOctetString.encode((acc + s) & 0xffffffffffffffffffffffffffffffff, TAG_LEN).reverse
+      end
+    end
+
+    # Forward-secure wrapper around AEADChaCha20Poly1305.
+    class FSChaCha20Poly1305
+      attr_accessor :aead
+      attr_reader :rekey_interval
+      attr_accessor :packet_counter
+      attr_accessor :key
+
+      def initialize(initial_key, rekey_interval = REKEY_INTERVAL)
+        @packet_counter = 0
+        @rekey_interval = rekey_interval
+        @key = initial_key
+      end
+
+      # Encrypt a +plaintext+ with a specified +aad+.
+      # @param [String] aad AAD
+      # @param [String] plaintext Data to be encrypted with binary format.
+      # @return [String] Ciphertext
+      def encrypt(aad, plaintext)
+        crypt(aad, plaintext, false)
+      end
+
+      # Decrypt a *ciphertext* with a specified +aad+.
+      # @param [String] aad AAD
+      # @param [String] ciphertext Data to be decrypted with binary format.
+      # @return [Array] [header, plaintext]
+      def decrypt(aad, ciphertext)
+        contents = crypt(aad, ciphertext, true)
+        [contents[0], contents[1..-1]]
+      end
+
+      private
+
+      # Encrypt or decrypt the specified (plain/cipher)text.
+      def crypt(aad, text, is_decrypt)
+        nonce = [packet_counter % rekey_interval, packet_counter / rekey_interval].pack("VQ<")
+        ret = if is_decrypt
+                chacha20_poly1305_decrypt(key, nonce, aad, text)
+              else
+                chacha20_poly1305_encrypt(key, nonce, aad, text)
+              end
+        if (packet_counter + 1) % rekey_interval == 0
+          rekey_nonce = "ffffffff".htb + nonce[4..-1]
+          newkey1 = chacha20_poly1305_encrypt(key, rekey_nonce, "", "00".htb * 32)[0...32]
+          newkey2 = ChaCha20.block(key, rekey_nonce, 1)[0...32]
+          raise Bitcoin::BIP324::Error, "newkey1 != newkey2" unless newkey1 == newkey2
+          self.key = newkey1
+        end
+        self.packet_counter += 1
+        ret
+      end
+
+      # Encrypt a plaintext using ChaCha20Poly1305.
+      def chacha20_poly1305_encrypt(key, nonce, aad, plaintext)
+        msg_len = plaintext.bytesize
+        ret = ((msg_len + 63) / 64).times.map do |i|
+          now = [64, msg_len - 64 * i].min
+          keystream = ChaCha20.block(key, nonce, i + 1)
+          now.times.map do |j|
+            plaintext[j + 64 * i].unpack1('C') ^ keystream[j].unpack1('C')
+          end
+        end
+        ret = ret.flatten.pack('C*')
+        poly1305 = Poly1305.new(ChaCha20.block(key, nonce, 0)[0...32])
+        poly1305.add(aad, padding: true).add(ret, padding: true)
+        poly1305.add([aad.bytesize, msg_len].pack("Q<Q<"))
+        ret + poly1305.tag
+      end
+
+      # Decrypt a ChaCha20Poly1305 ciphertext.
+      def chacha20_poly1305_decrypt(key, nonce, aad, ciphertext)
+        return nil if ciphertext.bytesize < 16
+        msg_len = ciphertext.bytesize - 16
+        poly1305 = Poly1305.new(ChaCha20.block(key, nonce, 0)[0...32])
+        poly1305.add(aad, padding: true)
+        poly1305.add(ciphertext, length: msg_len, padding: true)
+        poly1305.add([aad.bytesize, msg_len].pack("Q<Q<"))
+        return nil unless ciphertext[-16..-1] == poly1305.tag
+        ret = ((msg_len + 63) / 64).times.map do |i|
+          now = [64, msg_len - 64 * i].min
+          keystream = ChaCha20.block(key, nonce, i + 1)
+          now.times.map do |j|
+            ciphertext[j + 64 * i].unpack1('C') ^ keystream[j].unpack1('C')
+          end
+        end
+        ret.flatten.pack('C*')
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324.rb

@@ -0,0 +1,144 @@
+module Bitcoin
+  # BIP 324 module
+  # https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki
+  module BIP324
+
+    class Error < StandardError; end
+    class InvalidPaketLength < Error; end
+    class TooLargeContent < Error; end
+    class InvalidEllSwiftKey < Error; end
+
+    autoload :EllSwiftPubkey, 'bitcoin/bip324/ell_swift_pubkey'
+    autoload :Cipher, 'bitcoin/bip324/cipher'
+    autoload :FSChaCha20, 'bitcoin/bip324/fs_chacha20'
+    autoload :FSChaCha20Poly1305, 'bitcoin/bip324/fs_chacha_poly1305'
+
+    FIELD_SIZE = 2**256 - 2**32 - 977
+    FIELD = ECDSA::PrimeField.new(FIELD_SIZE)
+
+    REKEY_INTERVAL = 224 # packets
+
+    module_function
+
+    def sqrt(n)
+      candidate = FIELD.power(n, (FIELD.prime + 1) / 4)
+      return nil unless FIELD.square(candidate) == n
+      candidate
+    end
+
+    MINUS_3_SQRT = sqrt(FIELD.mod(-3))
+
+    # Decode field elements (u, t) to an X coordinate on the curve.
+    # @param [String] u u of ElligatorSwift encoding with hex format.
+    # @param [String] t t of ElligatorSwift encoding with hex format.
+    # @return [String] x coordinate with hex format.
+    def xswiftec(u, t)
+      u = FIELD.mod(u.hex)
+      t = FIELD.mod(t.hex)
+      u = 1 if u == 0
+      t = 1 if t == 0
+      t = FIELD.mod(2 * t) if FIELD.mod(FIELD.power(u, 3) + FIELD.power(t, 2) + 7) == 0
+      x = FIELD.mod(FIELD.mod(FIELD.power(u, 3) + 7 - FIELD.power(t, 2)) * FIELD.inverse(2 * t))
+      y = FIELD.mod((x + t) * FIELD.inverse(MINUS_3_SQRT * u))
+      x1 = FIELD.mod(u + 4 * FIELD.power(y, 2))
+      x2 = FIELD.mod(FIELD.mod(FIELD.mod(-x) * FIELD.inverse(y) - u) * FIELD.inverse(2))
+      x3 = FIELD.mod(FIELD.mod(x * FIELD.inverse(y) - u) * FIELD.inverse(2))
+      [x1, x2, x3].each do |x|
+        unless ECDSA::Group::Secp256k1.solve_for_y(x).empty?
+          return ECDSA::Format::IntegerOctetString.encode(x, 32).bth
+        end
+      end
+      raise ArgumentError, 'Decode failed.'
+    end
+
+    # Inverse map for ElligatorSwift. Given x and u, find t such that xswiftec(u, t) = x, or return nil.
+    # @param [String] x x coordinate with hex format
+    # @param [String] u u of ElligatorSwift encoding with hex format
+    # @param [Integer] c Case selects which of the up to 8 results to return.
+    # @return [String] Inverse of xswiftec(u, t) with hex format or nil.
+    def xswiftec_inv(x, u, c)
+      x = FIELD.mod(x.hex)
+      u = FIELD.mod(u.hex)
+      if c & 2 == 0
+        return nil unless ECDSA::Group::Secp256k1.solve_for_y(FIELD.mod(-x - u)).empty?
+        v = x
+        s = FIELD.mod(
+          -FIELD.mod(FIELD.power(u, 3) + 7) *
+            FIELD.inverse(FIELD.mod(FIELD.power(u, 2) + u * v + FIELD.power(v, 2))))
+      else
+        s = FIELD.mod(x - u)
+        return nil if s == 0
+        r = sqrt(FIELD.mod(-s * (4 * (FIELD.power(u, 3) + 7) + 3 * s * FIELD.power(u, 2))))
+        return nil if r.nil?
+        return nil if c & 1 == 1 && r == 0
+        v = FIELD.mod(FIELD.mod(-u + r * FIELD.inverse(s)) * FIELD.inverse(2))
+      end
+      w = sqrt(s)
+      return nil if w.nil?
+      result = if c & 5 == 0
+                 FIELD.mod(-w * FIELD.mod(u * (1 - MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 1
+                 FIELD.mod(w * FIELD.mod(u * (1 + MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 4
+                 FIELD.mod(w * FIELD.mod(u * (1 - MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 5
+                 FIELD.mod(-w * FIELD.mod(u * (1 + MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               else
+                 return nil
+                 end
+      ECDSA::Format::IntegerOctetString.encode(result, 32).bth
+    end
+
+    # Given a field element X on the curve, find (u, t) that encode them.
+    # @param [String] x coordinate with hex format.
+    # @return [String] ElligatorSwift public key with hex format.
+    def xelligatorswift(x)
+      loop do
+        u = SecureRandom.random_number(1..ECDSA::Group::Secp256k1.order).to_s(16)
+        c = Random.rand(0..8)
+        t = xswiftec_inv(x, u, c)
+        unless t.nil?
+          return (ECDSA::Format::IntegerOctetString.encode(u.hex, 32) +
+            ECDSA::Format::IntegerOctetString.encode(t.hex, 32)).bth
+        end
+      end
+    end
+
+    # Compute x coordinate of shared ECDH point between +ellswift_theirs+ and +priv_key+.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_theirs Their EllSwift public key.
+    # @param [String] priv_key Private key with hex format.
+    # @return [String] x coordinate of shared ECDH point with hex format.
+    # @raise ArgumentError
+    def ellswift_ecdh_xonly(ellswift_theirs, priv_key)
+      raise ArgumentError, "ellswift_theirs must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_theirs.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+      d = priv_key.hex
+      x = ellswift_theirs.decode.to_point.x
+      field = BIP324::FIELD
+      y = BIP324.sqrt(field.mod(field.power(x, 3) + 7))
+      return nil unless y
+      point = ECDSA::Point.new(ECDSA::Group::Secp256k1, x, y) * d
+      ECDSA::Format::FieldElementOctetString.encode(point.x, point.group.field).bth
+    end
+
+    # Compute BIP324 shared secret.
+    # @param [String] priv_key Private key with hex format.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_theirs Their EllSwift public key.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_ours Our EllSwift public key.
+    # @param [Boolean] initiating Whether your initiator or not.
+    # @return [String] Shared secret with hex format.
+    # @raise ArgumentError
+    def v2_ecdh(priv_key, ellswift_theirs, ellswift_ours, initiating)
+      raise ArgumentError, "ellswift_theirs must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_theirs.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+      raise ArgumentError, "ellswift_ours must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_ours.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+
+      if Bitcoin.secp_impl.is_a?(Bitcoin::Secp256k1::Native)
+        Bitcoin::Secp256k1::Native.ellswift_ecdh_xonly(ellswift_theirs, ellswift_ours, priv_key, initiating)
+      else
+        ecdh_point_x32 = ellswift_ecdh_xonly(ellswift_theirs, priv_key).htb
+        content = initiating ? ellswift_ours.key + ellswift_theirs.key + ecdh_point_x32 :
+                    ellswift_theirs.key + ellswift_ours.key + ecdh_point_x32
+        Bitcoin.tagged_hash('bip324_ellswift_xonly_ecdh', content).bth
+      end
+    end
+  end
+end