Initial Whisper implementation

[rphmeier]

Closes #4685

Summary of changes:

• whisper::net module contains the network handler, which maintains a pool of messages up to a given size. Messages with a higher PoW will push out those with lower.
• We respect other peers' topic bloom filters, but do not issue them ourselves (TODO)
• The RPC layer expects a common payload format, as well as three kinds of encryption:
  1. Asymmetric: ECIES
  2. Symmetric AES-GCM with multi-use key, random nonce appended to ciphertext
  3. Broadcast: Symmetric AES-GCM with single use key and global nonce, with key XOR'd into topic hashes. "salted topics" prepended to ciphertext.
• The payload format consists of the message body, arbitrary padding, and an optional signature.
• There are RPCs for creating ephemeral identities, either asymmetric (Secp256k1) or symmetric (AES-256-GCM).
• Enable Whisper with the --whisper flag, "shh" RPC API, and choose target memory (MB) with --whisper-pool-size. This could be made dynamic in the future.
• Subscribe or poll filters for messages with certain topics, signatures, and encryption/broadcast mode

[rphmeier]

I'm OK with adding a scheme for giving out topic bloom filters to peers, but I'd like the "darkness" to be configurable.

The rough idea is to take the list of each bloom relevant to a local subscription and give each of N peers 1 / N of them xor'd together, with a few random bits set. The hard part is making sure we always have coverage of all the subscriptions we care about even in the face of a changing or unreliable peer set.

An optional darkness parameter when creating a subscription which controls how much information we leak about that subscription would be a further goal.

[rphmeier]

(I'll ice this to post 1.7.0)

[arkpar]

Is invalid capabilities the only possible source of failure here? Why not just pass the error as it was before the change?

[rphmeier]

it's the only source of failure, yeah. @debris and I discussed making this function infallible before, and I figured this was a good time for it.

[arkpar]

Why not use H32? It supports RLP serialization and bloom filters already.

[rphmeier]

The bloom algorithm is slightly different, I think. It's not too much overhead to have a separate type, and it conveys the usage better IMO

[arkpar]

Does it not require a crypto-secure rng?

[rphmeier]

it's only used to find a nonce which brings the PoW below the threshold. Speed here would be the critical factor. From an outside observer's perspective it doesn't matter whether the method used to choose the nonce is high or low entropy. It could even be consecutive

[arkpar]

can this underflow?

[rphmeier]

at least the subtraction of leeway can. I'll make that saturating.

[arkpar]

Comment above says that a known message should return true

[rphmeier]

yeah, should be is not known (I had it as is_known before but forgot to update when I generalized it)

[arkpar]

perhaps std::collections::BinaryHeap would fit better?

[rphmeier]

a binary heap will be optimized for the use case when we tend to pop off the first element. we tend to remove elements by two metrics: when they expire (~random access) and also by pushing out low PoW elements (sorted access). My intuition was that vector pops (removing low work entries) are very cheap O(n) worst case, and a vector retain periodically to prune expired messages is also relatively cheap O(n).

Doing an arbitrary number of pops from a binary heap to remove low work entries is O(nlogn), and the retainment logic for live messages would have to reconstruct the heap each time from the iterator, again O(nlogn)

[arkpar]

Can connection recover after this? Maybe it would be better to disconnect on any such error?

[rphmeier]

the error will lead to a punishment in the caller of this function