by merging it with the version packet. Or more accurately, by merging
it with the first packet sent after garbage termination, which may be
a decoy packet or the version packet.
The new protocol simplifies implementations:
- A protocol state machine won't need separate states for garbage
authentication and version phases.
- The special case of "ignoring the ignore bit" is removed.
- The freedom to choose the contents of the garbage authentication
packet is removed. This simplifies testing.
The reason for having a separate garbage authentication packet was
to materialize the separation of the key exchange phase and version
negotiation phase even in the bytestream on the wire. However, this
is not necessary, and arguably, these phases are still properly
separated: Since the AEAD will ensure that AAD (=garbage) is checked
before looking at the contents (=version), the peers won't interpret
version data before having authenticated the garbage.
Includes:
* Simpler (but equivalent) ElligatorSwift encoding function & spec
* Improved test vectors
* Test vector generation code
* Code for converting test vectors for libsecp256k1 code.
* Code for running test vectors against SwiftEC paper authors' code.
* Miscellaneous reference code improvements (style, comments).
