Bump version numbers for beta release.

Backport: Add download button to ExpiredActivity

See merge request akwizgran/briar!772

.idea/runConfigurations/H2_Performance_Test.xml

@@ -1,23 +0,0 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="H2 Performance Test" type="AndroidJUnit" factoryName="Android JUnit">
-    <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" />
-    <module name="bramble-core" />
-    <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" />
-    <option name="ALTERNATIVE_JRE_PATH" />
-    <option name="PACKAGE_NAME" value="org.briarproject.bramble.db" />
-    <option name="MAIN_CLASS_NAME" value="org.briarproject.bramble.db.H2DatabasePerformanceTest" />
-    <option name="METHOD_NAME" value="" />
-    <option name="TEST_OBJECT" value="class" />
-    <option name="VM_PARAMETERS" value="-ea" />
-    <option name="PARAMETERS" value="" />
-    <option name="WORKING_DIRECTORY" value="" />
-    <option name="ENV_VARIABLES" />
-    <option name="PASS_PARENT_ENVS" value="true" />
-    <option name="TEST_SEARCH_SCOPE">
-      <value defaultName="singleModule" />
-    </option>
-    <envs />
-    <patterns />
-    <method />
-  </configuration>
-</component>

.idea/runConfigurations/HyperSQL_Performance_Test.xml

@@ -1,23 +0,0 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="HyperSQL Performance Test" type="AndroidJUnit" factoryName="Android JUnit">
-    <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" />
-    <module name="bramble-core" />
-    <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" />
-    <option name="ALTERNATIVE_JRE_PATH" />
-    <option name="PACKAGE_NAME" value="org.briarproject.bramble.db" />
-    <option name="MAIN_CLASS_NAME" value="org.briarproject.bramble.db.HyperSqlDatabasePerformanceTest" />
-    <option name="METHOD_NAME" value="" />
-    <option name="TEST_OBJECT" value="class" />
-    <option name="VM_PARAMETERS" value="-ea" />
-    <option name="PARAMETERS" value="" />
-    <option name="WORKING_DIRECTORY" value="" />
-    <option name="ENV_VARIABLES" />
-    <option name="PASS_PARENT_ENVS" value="true" />
-    <option name="TEST_SEARCH_SCOPE">
-      <value defaultName="singleModule" />
-    </option>
-    <envs />
-    <patterns />
-    <method />
-  </configuration>
-</component>

bramble-android/build.gradle

@@ -1,8 +1,6 @@
 import de.undercouch.gradle.tasks.download.Download
 import de.undercouch.gradle.tasks.download.Verify
 
-import java.security.NoSuchAlgorithmException
-
 apply plugin: 'com.android.library'
 apply plugin: 'witness'
 apply plugin: 'de.undercouch.download'
@@ -14,8 +12,8 @@ android {
 	defaultConfig {
 		minSdkVersion 14
 		targetSdkVersion 26
-		versionCode 1700
-		versionName "0.17.0"
+		versionCode 1621
+		versionName "0.16.21"
 		consumerProguardFiles 'proguard-rules.txt'
 	}
 
@@ -45,7 +43,6 @@ dependencyVerification {
 			'com.madgag.spongycastle:core:1.58.0.0:core-1.58.0.0.jar:199617dd5698c5a9312b898c0a4cec7ce9dd8649d07f65d91629f58229d72728',
 			'javax.annotation:jsr250-api:1.0:jsr250-api-1.0.jar:a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f',
 			'javax.inject:javax.inject:1:javax.inject-1.jar:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff',
-			'net.i2p.crypto:eddsa:0.2.0:eddsa-0.2.0.jar:a7cb1b85c16e2f0730b9204106929a1d9aaae1df728adc7041a8b8b605692140',
 			'org.bitlet:weupnp:0.1.4:weupnp-0.1.4.jar:88df7e6504929d00bdb832863761385c68ab92af945b04f0770b126270a444fb',
 			'org.jacoco:org.jacoco.agent:0.7.4.201502262128:org.jacoco.agent-0.7.4.201502262128-runtime.jar:e357a0f1d573c2f702a273992b1b6cb661734f66311854efb3778a888515c5b5',
 			'org.jacoco:org.jacoco.agent:0.7.4.201502262128:org.jacoco.agent-0.7.4.201502262128.jar:47b4bec6df11a1118da3953da8b9fa1e7079d6fec857faa1a3cf912e53a6fd4e',
@@ -69,68 +66,30 @@ def torBinaries = [
 		"geoip"      : '8239b98374493529a29096e45fc5877d4d6fdad0146ad8380b291f90d61484ea'
 ]
 
-def verifyOrDeleteBinary(name, chksum, alreadyVerified) {
-	return tasks.create("verifyOrDeleteBinary${name}", VerifyOrDelete) {
-		src "${torBinaryDir}/${name}.zip"
-		algorithm 'SHA-256'
-		checksum chksum
-		result alreadyVerified
-		onlyIf {
-			src.exists()
-		}
-	}
-}
-
-def downloadBinary(name, chksum, alreadyVerified) {
-	return tasks.create([
-			name: "downloadBinary${name}",
-			type: Download,
-			dependsOn: verifyOrDeleteBinary(name, chksum, alreadyVerified)]) {
+def downloadBinary(name) {
+	return tasks.create("downloadBinary${name}", Download) {
 		src "${torDownloadUrl}${name}.zip"
 				.replace('tor_', "tor-${torVersion}-")
 				.replace('geoip', "geoip-${geoipVersion}")
 				.replaceAll('_', '-')
 		dest "${torBinaryDir}/${name}.zip"
-		onlyIf {
-			!dest.exists()
-		}
+		onlyIfNewer true
 	}
 }
 
 def verifyBinary(name, chksum) {
-	boolean[] alreadyVerified = [false]
 	return tasks.create([
 			name     : "verifyBinary${name}",
 			type     : Verify,
-			dependsOn: downloadBinary(name, chksum, alreadyVerified)]) {
+			dependsOn: downloadBinary(name)]) {
 		src "${torBinaryDir}/${name}.zip"
 		algorithm 'SHA-256'
 		checksum chksum
-		onlyIf {
-			!alreadyVerified[0]
-		}
 	}
 }
 
 project.afterEvaluate {
-	torBinaries.every { name, checksum ->
-		preBuild.dependsOn.add(verifyBinary(name, checksum))
-	}
-}
-
-class VerifyOrDelete extends Verify {
-
-	boolean[] result
-
-	@TaskAction
-	@Override
-	void verify() throws IOException, NoSuchAlgorithmException {
-		try {
-			super.verify()
-			result[0] = true
-		} catch (Exception e) {
-			println "${src} failed verification - deleting"
-			src.delete()
-		}
+	torBinaries.every { key, value ->
+		preBuild.dependsOn.add(verifyBinary(key, value))
 	}
 }

bramble-android/proguard-rules.txt

@@ -8,10 +8,6 @@
 -dontwarn dagger.**
 -dontnote dagger.**
 
--keep class net.i2p.crypto.eddsa.** { *; }
-
--keep class org.whispersystems.curve25519.** { *; }
-
 -dontwarn sun.misc.Unsafe
 -dontnote com.google.common.**
 

bramble-api/src/main/java/org/briarproject/bramble/api/Multiset.java

@@ -1,101 +0,0 @@
-package org.briarproject.bramble.api;
-
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.NoSuchElementException;
-import java.util.Set;
-
-import javax.annotation.concurrent.NotThreadSafe;
-
-@NotThreadSafe
-@NotNullByDefault
-public class Multiset<T> {
-
-	private final Map<T, Integer> map = new HashMap<>();
-
-	private int total = 0;
-
-	/**
-	 * Returns how many items the multiset contains in total.
-	 */
-	public int getTotal() {
-		return total;
-	}
-
-	/**
-	 * Returns how many unique items the multiset contains.
-	 */
-	public int getUnique() {
-		return map.size();
-	}
-
-	/**
-	 * Returns how many of the given item the multiset contains.
-	 */
-	public int getCount(T t) {
-		Integer count = map.get(t);
-		return count == null ? 0 : count;
-	}
-
-	/**
-	 * Adds the given item to the multiset and returns how many of the item
-	 * the multiset now contains.
-	 */
-	public int add(T t) {
-		Integer count = map.get(t);
-		if (count == null) count = 0;
-		map.put(t, count + 1);
-		total++;
-		return count + 1;
-	}
-
-	/**
-	 * Removes the given item from the multiset and returns how many of the
-	 * item the multiset now contains.
-	 * @throws NoSuchElementException if the item is not in the multiset.
-	 */
-	public int remove(T t) {
-		Integer count = map.get(t);
-		if (count == null) throw new NoSuchElementException();
-		if (count == 1) map.remove(t);
-		else map.put(t, count - 1);
-		total--;
-		return count - 1;
-	}
-
-	/**
-	 * Removes all occurrences of the given item from the multiset.
-	 */
-	public int removeAll(T t) {
-		Integer count = map.remove(t);
-		if (count == null) return 0;
-		total -= count;
-		return count;
-	}
-
-	/**
-	 * Returns true if the multiset contains any occurrences of the given item.
-	 */
-	public boolean contains(T t) {
-		return map.containsKey(t);
-	}
-
-	/**
-	 * Removes all items from the multiset.
-	 */
-	public void clear() {
-		map.clear();
-		total = 0;
-	}
-
-	/**
-	 * Returns the set of unique items the multiset contains. The returned set
-	 * is unmodifiable.
-	 */
-	public Set<T> keySet() {
-		return Collections.unmodifiableSet(map.keySet());
-	}
-}

bramble-api/src/main/java/org/briarproject/bramble/api/UnsupportedVersionException.java

@@ -1,9 +0,0 @@
-package org.briarproject.bramble.api;
-
-import java.io.IOException;
-
-/**
- * An exception that indicates an unrecoverable version mismatch.
- */
-public class UnsupportedVersionException extends IOException {
-}

bramble-api/src/main/java/org/briarproject/bramble/api/client/ClientHelper.java

@@ -5,10 +5,7 @@ import org.briarproject.bramble.api.data.BdfDictionary;
 import org.briarproject.bramble.api.data.BdfList;
 import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
-import org.briarproject.bramble.api.identity.Author;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.plugin.TransportId;
-import org.briarproject.bramble.api.properties.TransportProperties;
 import org.briarproject.bramble.api.sync.GroupId;
 import org.briarproject.bramble.api.sync.Message;
 import org.briarproject.bramble.api.sync.MessageId;
@@ -90,30 +87,16 @@ public interface ClientHelper {
 	BdfDictionary toDictionary(byte[] b, int off, int len)
 			throws FormatException;
 
-	BdfDictionary toDictionary(TransportProperties transportProperties);
-
-	BdfDictionary toDictionary(Map<TransportId, TransportProperties> map);
-
 	BdfList toList(byte[] b, int off, int len) throws FormatException;
 
 	BdfList toList(byte[] b) throws FormatException;
 
 	BdfList toList(Message m) throws FormatException;
 
-	BdfList toList(Author a);
-
 	byte[] sign(String label, BdfList toSign, byte[] privateKey)
 			throws FormatException, GeneralSecurityException;
 
-	void verifySignature(byte[] signature, String label, BdfList signed,
-			byte[] publicKey) throws FormatException, GeneralSecurityException;
-
-	Author parseAndValidateAuthor(BdfList author) throws FormatException;
-
-	TransportProperties parseAndValidateTransportProperties(
-			BdfDictionary properties) throws FormatException;
-
-	Map<TransportId, TransportProperties> parseAndValidateTransportPropertiesMap(
-			BdfDictionary properties) throws FormatException;
+	void verifySignature(String label, byte[] sig, byte[] publicKey,
+			BdfList signed) throws FormatException, GeneralSecurityException;
 
 }

bramble-api/src/main/java/org/briarproject/bramble/api/client/ContactGroupFactory.java

@@ -12,19 +12,18 @@ public interface ContactGroupFactory {
 	/**
 	 * Creates a group that is not shared with any contacts.
 	 */
-	Group createLocalGroup(ClientId clientId, int clientVersion);
+	Group createLocalGroup(ClientId clientId);
 
 	/**
 	 * Creates a group for the given client to share with the given contact.
 	 */
-	Group createContactGroup(ClientId clientId, int clientVersion,
-			Contact contact);
+	Group createContactGroup(ClientId clientId, Contact contact);
 
 	/**
 	 * Creates a group for the given client to share between the given authors
 	 * identified by their AuthorIds.
 	 */
-	Group createContactGroup(ClientId clientId, int clientVersion,
-			AuthorId authorId1, AuthorId authorId2);
+	Group createContactGroup(ClientId clientId, AuthorId authorId1,
+			AuthorId authorId2);
 
 }

bramble-api/src/main/java/org/briarproject/bramble/api/contact/ContactExchangeTask.java

@@ -12,32 +12,6 @@ import org.briarproject.bramble.api.plugin.duplex.DuplexTransportConnection;
 @NotNullByDefault
 public interface ContactExchangeTask {
 
-	/**
-	 * The current version of the contact exchange protocol
-	 */
-	int PROTOCOL_VERSION = 0;
-
-	/**
-	 * Label for deriving Alice's header key from the master secret.
-	 */
-	String ALICE_KEY_LABEL =
-			"org.briarproject.bramble.contact/ALICE_HEADER_KEY";
-
-	/**
-	 * Label for deriving Bob's header key from the master secret.
-	 */
-	String BOB_KEY_LABEL = "org.briarproject.bramble.contact/BOB_HEADER_KEY";
-
-	/**
-	 * Label for deriving Alice's key binding nonce from the master secret.
-	 */
-	String ALICE_NONCE_LABEL = "org.briarproject.bramble.contact/ALICE_NONCE";
-
-	/**
-	 * Label for deriving Bob's key binding nonce from the master secret.
-	 */
-	String BOB_NONCE_LABEL = "org.briarproject.bramble.contact/BOB_NONCE";
-
 	/**
 	 * Exchanges contact information with a remote peer.
 	 */

bramble-api/src/main/java/org/briarproject/bramble/api/contact/ContactId.java

@@ -6,7 +6,7 @@ import javax.annotation.concurrent.Immutable;
 
 /**
  * Type-safe wrapper for an integer that uniquely identifies a contact within
- * the scope of the local device.
+ * the scope of a single node.
  */
 @Immutable
 @NotNullByDefault

bramble-api/src/main/java/org/briarproject/bramble/api/contact/ContactManager.java

@@ -5,7 +5,6 @@ import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
 import org.briarproject.bramble.api.identity.Author;
 import org.briarproject.bramble.api.identity.AuthorId;
-import org.briarproject.bramble.api.lifecycle.LifecycleManager;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 
 import java.util.Collection;
@@ -14,28 +13,23 @@ import java.util.Collection;
 public interface ContactManager {
 
 	/**
-	 * Registers a hook to be called whenever a contact is added or removed.
-	 * This method should be called before
-	 * {@link LifecycleManager#startServices(String)}.
+	 * Registers a hook to be called whenever a contact is added.
 	 */
-	void registerContactHook(ContactHook hook);
+	void registerAddContactHook(AddContactHook hook);
 
 	/**
-	 * Stores a contact associated with the given local and remote pseudonyms,
-	 * derives and stores transport keys for each transport, and returns an ID
-	 * for the contact.
+	 * Registers a hook to be called whenever a contact is removed.
+	 */
+	void registerRemoveContactHook(RemoveContactHook hook);
+
+	/**
+	 * Stores a contact within the given transaction associated with the given
+	 * local and remote pseudonyms, and returns an ID for the contact.
 	 */
 	ContactId addContact(Transaction txn, Author remote, AuthorId local,
 			SecretKey master, long timestamp, boolean alice, boolean verified,
 			boolean active) throws DbException;
 
-	/**
-	 * Stores a contact associated with the given local and remote pseudonyms
-	 * and returns an ID for the contact.
-	 */
-	ContactId addContact(Transaction txn, Author remote, AuthorId local,
-			boolean verified, boolean active) throws DbException;
-
 	/**
 	 * Stores a contact associated with the given local and remote pseudonyms,
 	 * and returns an ID for the contact.
@@ -100,10 +94,11 @@ public interface ContactManager {
 	boolean contactExists(AuthorId remoteAuthorId, AuthorId localAuthorId)
 			throws DbException;
 
-	interface ContactHook {
-
+	interface AddContactHook {
 		void addingContact(Transaction txn, Contact c) throws DbException;
+	}
 
+	interface RemoveContactHook {
 		void removingContact(Transaction txn, Contact c) throws DbException;
 	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java

@@ -1,13 +1,11 @@
 package org.briarproject.bramble.api.crypto;
 
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.plugin.TransportId;
+import org.briarproject.bramble.api.transport.TransportKeys;
 
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 
-import javax.annotation.Nullable;
-
-@NotNullByDefault
 public interface CryptoComponent {
 
 	SecretKey generateSecretKey();
@@ -25,83 +23,153 @@ public interface CryptoComponent {
 	KeyParser getMessageKeyParser();
 
 	/**
-	 * Derives another secret key from the given secret key.
-	 *
-	 * @param label a namespaced label indicating the purpose of the derived
-	 * key, to prevent it from being repurposed or colliding with a key derived
-	 * for another purpose
+	 * Derives a stream header key from the given master secret.
+	 * @param alice whether the key is for use by Alice or Bob.
 	 */
-	SecretKey deriveKey(String label, SecretKey k, byte[]... inputs);
+	SecretKey deriveHeaderKey(SecretKey master, boolean alice);
+
+	/**
+	 * Derives a message authentication code key from the given master secret.
+	 * @param alice whether the key is for use by Alice or Bob.
+	 */
+	SecretKey deriveMacKey(SecretKey master, boolean alice);
+
+	/**
+	 * Derives a nonce from the given master secret for one of the parties to
+	 * sign.
+	 * @param alice whether the nonce is for use by Alice or Bob.
+	 */
+	byte[] deriveSignatureNonce(SecretKey master, boolean alice);
+
+	/**
+	 * Derives a commitment to the provided public key.
+	 * <p/>
+	 * Part of BQP.
+	 *
+	 * @param publicKey the public key
+	 * @return the commitment to the provided public key.
+	 */
+	byte[] deriveKeyCommitment(byte[] publicKey);
 
 	/**
 	 * Derives a common shared secret from two public keys and one of the
 	 * corresponding private keys.
+	 * <p/>
+	 * Part of BQP.
 	 *
-	 * @param label a namespaced label indicating the purpose of this shared
-	 * secret, to prevent it from being repurposed or colliding with a shared
-	 * secret derived for another purpose
-	 * @param theirPublicKey the public key of the remote party
-	 * @param ourKeyPair the key pair of the local party
+	 * @param theirPublicKey the ephemeral public key of the remote party
+	 * @param ourKeyPair our ephemeral keypair
+	 * @param alice true if ourKeyPair belongs to Alice
 	 * @return the shared secret
+	 * @throws GeneralSecurityException
 	 */
-	SecretKey deriveSharedSecret(String label, PublicKey theirPublicKey,
-			KeyPair ourKeyPair, byte[]... inputs)
-			throws GeneralSecurityException;
+	SecretKey deriveSharedSecret(byte[] theirPublicKey, KeyPair ourKeyPair,
+			boolean alice) throws GeneralSecurityException;
 
 	/**
-	 * Signs the given byte[] with the given private key.
+	 * Derives the content of a confirmation record.
+	 * <p/>
+	 * Part of BQP.
 	 *
-	 * @param label a namespaced label indicating the purpose of this
-	 * signature, to prevent it from being repurposed or colliding with a
-	 * signature created for another purpose
+	 * @param sharedSecret the common shared secret
+	 * @param theirPayload the commit payload from the remote party
+	 * @param ourPayload the commit payload we sent
+	 * @param theirPublicKey the ephemeral public key of the remote party
+	 * @param ourKeyPair our ephemeral keypair
+	 * @param alice true if ourKeyPair belongs to Alice
+	 * @param aliceRecord true if the confirmation record is for use by Alice
+	 * @return the confirmation record
+	 */
+	byte[] deriveConfirmationRecord(SecretKey sharedSecret,
+			byte[] theirPayload, byte[] ourPayload,
+			byte[] theirPublicKey, KeyPair ourKeyPair,
+			boolean alice, boolean aliceRecord);
+
+	/**
+	 * Derives a master secret from the given shared secret.
+	 * <p/>
+	 * Part of BQP.
+	 *
+	 * @param sharedSecret the common shared secret
+	 * @return the master secret
+	 */
+	SecretKey deriveMasterSecret(SecretKey sharedSecret);
+
+	/**
+	 * Derives a master secret from two public keys and one of the corresponding
+	 * private keys.
+	 * <p/>
+	 * This is a helper method that calls
+	 * deriveMasterSecret(deriveSharedSecret(theirPublicKey, ourKeyPair, alice))
+	 *
+	 * @param theirPublicKey the ephemeral public key of the remote party
+	 * @param ourKeyPair our ephemeral keypair
+	 * @param alice true if ourKeyPair belongs to Alice
+	 * @return the shared secret
+	 * @throws GeneralSecurityException
+	 */
+	SecretKey deriveMasterSecret(byte[] theirPublicKey, KeyPair ourKeyPair,
+			boolean alice) throws GeneralSecurityException;
+
+	/**
+	 * Derives initial transport keys for the given transport in the given
+	 * rotation period from the given master secret.
+	 * @param alice whether the keys are for use by Alice or Bob.
+	 */
+	TransportKeys deriveTransportKeys(TransportId t, SecretKey master,
+			long rotationPeriod, boolean alice);
+
+	/**
+	 * Rotates the given transport keys to the given rotation period. If the
+	 * keys are for a future rotation period they are not rotated.
+	 */
+	TransportKeys rotateTransportKeys(TransportKeys k, long rotationPeriod);
+
+	/** Encodes the pseudo-random tag that is used to recognise a stream. */
+	void encodeTag(byte[] tag, SecretKey tagKey, int protocolVersion,
+			long streamNumber);
+
+	/**
+	 * Signs the given byte[] with the given PrivateKey.
+	 *
+	 * @param label A label specific to this signature
+	 *              to ensure that the signature cannot be repurposed
 	 */
 	byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException;
 
 	/**
-	 * Verifies that the given signature is valid for the signed data
-	 * and the given public key.
+	 * Verifies that the given signature is valid for the signedData
+	 * and the given publicKey.
 	 *
-	 * @param label a namespaced label indicating the purpose of this
-	 * signature, to prevent it from being repurposed or colliding with a
-	 * signature created for another purpose
+	 * @param label A label that was specific to this signature
+	 *              to ensure that the signature cannot be repurposed
 	 * @return true if the signature was valid, false otherwise.
 	 */
-	boolean verifySignature(byte[] signature, String label, byte[] signed,
-			byte[] publicKey) throws GeneralSecurityException;
+	boolean verify(String label, byte[] signedData, byte[] publicKey,
+			byte[] signature) throws GeneralSecurityException;
 
 	/**
 	 * Returns the hash of the given inputs. The inputs are unambiguously
 	 * combined by prefixing each input with its length.
 	 *
-	 * @param label a namespaced label indicating the purpose of this hash, to
-	 * prevent it from being repurposed or colliding with a hash created for
-	 * another purpose
+	 * @param label A label specific to this hash to ensure that hashes
+	 *              calculated for distinct purposes don't collide.
 	 */
 	byte[] hash(String label, byte[]... inputs);
 
+	/**
+	 * Returns the length of hashes produced by
+	 * the {@link CryptoComponent#hash(String, byte[]...)} method.
+	 */
+	int getHashLength();
+
 	/**
 	 * Returns a message authentication code with the given key over the
 	 * given inputs. The inputs are unambiguously combined by prefixing each
 	 * input with its length.
-	 *
-	 * @param label a namespaced label indicating the purpose of this MAC, to
-	 * prevent it from being repurposed or colliding with a MAC created for
-	 * another purpose
 	 */
-	byte[] mac(String label, SecretKey macKey, byte[]... inputs);
-
-	/**
-	 * Verifies that the given message authentication code is valid for the
-	 * given secret key and inputs.
-	 *
-	 * @param label a namespaced label indicating the purpose of this MAC, to
-	 * prevent it from being repurposed or colliding with a MAC created for
-	 * another purpose
-	 * @return true if the MAC was valid, false otherwise.
-	 */
-	boolean verifyMac(byte[] mac, String label, SecretKey macKey,
-			byte[]... inputs);
+	byte[] mac(SecretKey macKey, byte[]... inputs);
 
 	/**
 	 * Encrypts and authenticates the given plaintext so it can be written to
@@ -117,7 +185,6 @@ public interface CryptoComponent {
 	 * given password. Returns null if the ciphertext cannot be decrypted and
 	 * authenticated (for example, if the password is wrong).
 	 */
-	@Nullable
 	byte[] decryptWithPassword(byte[] ciphertext, String password);
 
 	/**

bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoConstants.java

@@ -1,25 +0,0 @@
-package org.briarproject.bramble.api.crypto;
-
-public interface CryptoConstants {
-
-	/**
-	 * The maximum length of an agreement public key in bytes.
-	 */
-	int MAX_AGREEMENT_PUBLIC_KEY_BYTES = 32;
-
-	/**
-	 * The maximum length of a signature public key in bytes.
-	 */
-	int MAX_SIGNATURE_PUBLIC_KEY_BYTES = 32;
-
-	/**
-	 * The maximum length of a signature in bytes.
-	 */
-	int MAX_SIGNATURE_BYTES = 64;
-
-	/**
-	 * The length of a MAC in bytes.
-	 */
-	int MAC_BYTES = SecretKey.LENGTH;
-
-}

bramble-api/src/main/java/org/briarproject/bramble/api/crypto/KeyAgreementCrypto.java

@@ -1,50 +0,0 @@
-package org.briarproject.bramble.api.crypto;
-
-/**
- * Crypto operations for the key agreement protocol - see
- * https://code.briarproject.org/akwizgran/briar-spec/blob/master/protocols/BQP.md
- */
-public interface KeyAgreementCrypto {
-
-	/**
-	 * Hash label for public key commitment.
-	 */
-	String COMMIT_LABEL = "org.briarproject.bramble.keyagreement/COMMIT";
-
-	/**
-	 * Key derivation label for confirmation record.
-	 */
-	String CONFIRMATION_KEY_LABEL =
-			"org.briarproject.bramble.keyagreement/CONFIRMATION_KEY";
-
-	/**
-	 * MAC label for confirmation record.
-	 */
-	String CONFIRMATION_MAC_LABEL =
-			"org.briarproject.bramble.keyagreement/CONFIRMATION_MAC";
-
-	/**
-	 * Derives a commitment to the provided public key.
-	 *
-	 * @param publicKey the public key
-	 * @return the commitment to the provided public key.
-	 */
-	byte[] deriveKeyCommitment(PublicKey publicKey);
-
-	/**
-	 * Derives the content of a confirmation record.
-	 *
-	 * @param sharedSecret the common shared secret
-	 * @param theirPayload the key exchange payload of the remote party
-	 * @param ourPayload the key exchange payload of the local party
-	 * @param theirPublicKey the ephemeral public key of the remote party
-	 * @param ourKeyPair our ephemeral key pair of the local party
-	 * @param alice true if the local party is Alice
-	 * @param aliceRecord true if the confirmation record is for use by Alice
-	 * @return the confirmation record
-	 */
-	byte[] deriveConfirmationRecord(SecretKey sharedSecret,
-			byte[] theirPayload, byte[] ourPayload,
-			PublicKey theirPublicKey, KeyPair ourKeyPair,
-			boolean alice, boolean aliceRecord);
-}

bramble-api/src/main/java/org/briarproject/bramble/api/crypto/TransportCrypto.java

@@ -1,33 +0,0 @@
-package org.briarproject.bramble.api.crypto;
-
-import org.briarproject.bramble.api.plugin.TransportId;
-import org.briarproject.bramble.api.transport.TransportKeys;
-
-/**
- * Crypto operations for the transport security protocol - see
- * https://code.briarproject.org/akwizgran/briar-spec/blob/master/protocols/BTP.md
- */
-public interface TransportCrypto {
-
-	/**
-	 * Derives initial transport keys for the given transport in the given
-	 * rotation period from the given master secret.
-	 *
-	 * @param alice whether the keys are for use by Alice or Bob.
-	 * @param active whether the keys are usable for outgoing streams.
-	 */
-	TransportKeys deriveTransportKeys(TransportId t, SecretKey master,
-			long rotationPeriod, boolean alice, boolean active);
-
-	/**
-	 * Rotates the given transport keys to the given rotation period. If the
-	 * keys are for the given period or any later period they are not rotated.
-	 */
-	TransportKeys rotateTransportKeys(TransportKeys k, long rotationPeriod);
-
-	/**
-	 * Encodes the pseudo-random tag that is used to recognise a stream.
-	 */
-	void encodeTag(byte[] tag, SecretKey tagKey, int protocolVersion,
-			long streamNumber);
-}

bramble-api/src/main/java/org/briarproject/bramble/api/data/BdfDictionary.java

@@ -34,7 +34,7 @@ public class BdfDictionary extends TreeMap<String, Object> {
 		super();
 	}
 
-	public BdfDictionary(Map<String, ?> m) {
+	public BdfDictionary(Map<String, Object> m) {
 		super(m);
 	}
 

bramble-api/src/main/java/org/briarproject/bramble/api/data/ObjectReader.java

@@ -0,0 +1,11 @@
+package org.briarproject.bramble.api.data;
+
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+import java.io.IOException;
+
+@NotNullByDefault
+public interface ObjectReader<T> {
+
+	T readObject(BdfReader r) throws IOException;
+}

bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseComponent.java

@@ -18,8 +18,7 @@ import org.briarproject.bramble.api.sync.MessageId;
 import org.briarproject.bramble.api.sync.MessageStatus;
 import org.briarproject.bramble.api.sync.Offer;
 import org.briarproject.bramble.api.sync.Request;
-import org.briarproject.bramble.api.transport.KeySet;
-import org.briarproject.bramble.api.transport.KeySetId;
+import org.briarproject.bramble.api.sync.ValidationManager;
 import org.briarproject.bramble.api.transport.TransportKeys;
 
 import java.util.Collection;
@@ -104,17 +103,10 @@ public interface DatabaseComponent {
 			throws DbException;
 
 	/**
-	 * Stores the given transport keys, optionally binding them to the given
-	 * contact, and returns a key set ID.
+	 * Stores transport keys for a newly added contact.
 	 */
-	KeySetId addTransportKeys(Transaction txn, @Nullable ContactId c,
-			TransportKeys k) throws DbException;
-
-	/**
-	 * Binds the given keys for the given transport to the given contact.
-	 */
-	void bindTransportKeys(Transaction txn, ContactId c, TransportId t,
-			KeySetId k) throws DbException;
+	void addTransportKeys(Transaction txn, ContactId c, TransportKeys k)
+			throws DbException;
 
 	/**
 	 * Returns true if the database contains the given contact for the given
@@ -347,8 +339,12 @@ public interface DatabaseComponent {
 
 	/**
 	 * Returns the IDs and states of all dependencies of the given message.
-	 * For missing dependencies and dependencies in other groups, the state
-	 * {@link State UNKNOWN} is returned.
+	 * Missing dependencies have the state
+	 * {@link ValidationManager.State UNKNOWN}.
+	 * Dependencies in other groups have the state
+	 * {@link ValidationManager.State INVALID}.
+	 * Note that these states are not set on the dependencies themselves; the
+	 * returned states should only be taken in the context of the given message.
 	 * <p/>
 	 * Read-only.
 	 */
@@ -356,9 +352,9 @@ public interface DatabaseComponent {
 			throws DbException;
 
 	/**
-	 * Returns the IDs and states of all dependents of the given message.
-	 * Dependents in other groups are not returned. If the given message is
-	 * missing, no dependents are returned.
+	 * Returns all IDs of messages that depend on the given message.
+	 * Messages in other groups that declare a dependency on the given message
+	 * will be returned even though such dependencies are invalid.
 	 * <p/>
 	 * Read-only.
 	 */
@@ -403,14 +399,15 @@ public interface DatabaseComponent {
 	 * <p/>
 	 * Read-only.
 	 */
-	Collection<KeySet> getTransportKeys(Transaction txn, TransportId t)
-			throws DbException;
+	Map<ContactId, TransportKeys> getTransportKeys(Transaction txn,
+			TransportId t) throws DbException;
 
 	/**
-	 * Increments the outgoing stream counter for the given transport keys.
+	 * Increments the outgoing stream counter for the given contact and
+	 * transport in the given rotation period .
 	 */
-	void incrementStreamCounter(Transaction txn, TransportId t, KeySetId k)
-			throws DbException;
+	void incrementStreamCounter(Transaction txn, ContactId c, TransportId t,
+			long rotationPeriod) throws DbException;
 
 	/**
 	 * Merges the given metadata with the existing metadata for the given
@@ -480,12 +477,6 @@ public interface DatabaseComponent {
 	 */
 	void removeTransport(Transaction txn, TransportId t) throws DbException;
 
-	/**
-	 * Removes the given transport keys from the database.
-	 */
-	void removeTransportKeys(Transaction txn, TransportId t, KeySetId k)
-		throws DbException;
-
 	/**
 	 * Marks the given contact as verified.
 	 */
@@ -521,21 +512,15 @@ public interface DatabaseComponent {
 			Collection<MessageId> dependencies) throws DbException;
 
 	/**
-	 * Sets the reordering window for the given key set and transport in the
+	 * Sets the reordering window for the given contact and transport in the
 	 * given rotation period.
 	 */
-	void setReorderingWindow(Transaction txn, KeySetId k, TransportId t,
+	void setReorderingWindow(Transaction txn, ContactId c, TransportId t,
 			long rotationPeriod, long base, byte[] bitmap) throws DbException;
 
-	/**
-	 * Marks the given transport keys as usable for outgoing streams.
-	 */
-	void setTransportKeysActive(Transaction txn, TransportId t, KeySetId k)
-		throws DbException;
-
 	/**
 	 * Stores the given transport keys, deleting any keys they have replaced.
 	 */
-	void updateTransportKeys(Transaction txn, Collection<KeySet> keys)
-			throws DbException;
+	void updateTransportKeys(Transaction txn,
+			Map<ContactId, TransportKeys> keys) throws DbException;
 }

bramble-api/src/main/java/org/briarproject/bramble/api/identity/Author.java

@@ -1,13 +1,11 @@
 package org.briarproject.bramble.api.identity;
 
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.util.StringUtils;
+
+import java.io.UnsupportedEncodingException;
 
 import javax.annotation.concurrent.Immutable;
 
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
-
 /**
  * A pseudonym for a user.
  */
@@ -19,25 +17,20 @@ public class Author {
 		NONE, ANONYMOUS, UNKNOWN, UNVERIFIED, VERIFIED, OURSELVES
 	}
 
-	/**
-	 * The current version of the author structure.
-	 */
-	public static final int FORMAT_VERSION = 1;
-
 	private final AuthorId id;
-	private final int formatVersion;
 	private final String name;
 	private final byte[] publicKey;
 
-	public Author(AuthorId id, int formatVersion, String name,
-			byte[] publicKey) {
-		int nameLength = StringUtils.toUtf8(name).length;
-		if (nameLength == 0 || nameLength > MAX_AUTHOR_NAME_LENGTH)
-			throw new IllegalArgumentException();
-		if (publicKey.length == 0 || publicKey.length > MAX_PUBLIC_KEY_LENGTH)
+	public Author(AuthorId id, String name, byte[] publicKey) {
+		int length;
+		try {
+			length = name.getBytes("UTF-8").length;
+		} catch (UnsupportedEncodingException e) {
+			throw new RuntimeException(e);
+		}
+		if (length == 0 || length > AuthorConstants.MAX_AUTHOR_NAME_LENGTH)
 			throw new IllegalArgumentException();
 		this.id = id;
-		this.formatVersion = formatVersion;
 		this.name = name;
 		this.publicKey = publicKey;
 	}
@@ -49,13 +42,6 @@ public class Author {
 		return id;
 	}
 
-	/**
-	 * Returns the version of the author structure used to create the author.
-	 */
-	public int getFormatVersion() {
-		return formatVersion;
-	}
-
 	/**
 	 * Returns the author's name.
 	 */

bramble-api/src/main/java/org/briarproject/bramble/api/identity/AuthorConstants.java

@@ -1,8 +1,5 @@
 package org.briarproject.bramble.api.identity;
 
-import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_BYTES;
-import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_PUBLIC_KEY_BYTES;
-
 public interface AuthorConstants {
 
 	/**
@@ -11,14 +8,26 @@ public interface AuthorConstants {
 	int MAX_AUTHOR_NAME_LENGTH = 50;
 
 	/**
-	 * The maximum length of a public key in bytes. This applies to the
-	 * signature algorithm used by the current {@link Author format version}.
+	 * The maximum length of a public key in bytes.
+	 * <p>
+	 * Public keys use SEC1 format: 0x04 x y, where x and y are unsigned
+	 * big-endian integers.
+	 * <p>
+	 * For a 256-bit elliptic curve, the maximum length is 2 * 256 / 8 + 1.
 	 */
-	int MAX_PUBLIC_KEY_LENGTH = MAX_SIGNATURE_PUBLIC_KEY_BYTES;
+	int MAX_PUBLIC_KEY_LENGTH = 65;
 
 	/**
-	 * The maximum length of a signature in bytes. This applies to the
-	 * signature algorithm used by the current {@link Author format version}.
+	 * The maximum length of a signature in bytes.
+	 * <p>
+	 * A signature is an ASN.1 DER sequence containing two integers, r and s.
+	 * The format is 0x30 len1 0x02 len2 r 0x02 len3 s, where len1 is
+	 * len(0x02 len2 r 0x02 len3 s) as a DER length, len2 is len(r) as a DER
+	 * length, len3 is len(s) as a DER length, and r and s are signed
+	 * big-endian integers of minimal length.
+	 * <p>
+	 * For a 256-bit elliptic curve, the lengths are one byte each, so the
+	 * maximum length is 2 * 256 / 8 + 8.
 	 */
-	int MAX_SIGNATURE_LENGTH = MAX_SIGNATURE_BYTES;
+	int MAX_SIGNATURE_LENGTH = 72;
 }

bramble-api/src/main/java/org/briarproject/bramble/api/identity/AuthorFactory.java

@@ -5,27 +5,8 @@ import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 @NotNullByDefault
 public interface AuthorFactory {
 
-	/**
-	 * Creates an author with the current format version and the given name and
-	 * public key.
-	 */
 	Author createAuthor(String name, byte[] publicKey);
 
-	/**
-	 * Creates an author with the given format version, name and public key.
-	 */
-	Author createAuthor(int formatVersion, String name, byte[] publicKey);
-
-	/**
-	 * Creates a local author with the current format version and the given
-	 * name and keys.
-	 */
 	LocalAuthor createLocalAuthor(String name, byte[] publicKey,
 			byte[] privateKey);
-
-	/**
-	 * Creates a local author with the given format version, name and keys.
-	 */
-	LocalAuthor createLocalAuthor(int formatVersion, String name,
-			byte[] publicKey, byte[] privateKey);
 }

bramble-api/src/main/java/org/briarproject/bramble/api/identity/AuthorId.java

@@ -16,7 +16,7 @@ public class AuthorId extends UniqueId {
 	/**
 	 * Label for hashing authors to calculate their identities.
 	 */
-	public static final String LABEL = "org.briarproject.bramble/AUTHOR_ID";
+	public static final String LABEL = "org.briarproject.bramble.AUTHOR_ID";
 
 	public AuthorId(byte[] id) {
 		super(id);

bramble-api/src/main/java/org/briarproject/bramble/api/identity/LocalAuthor.java

@@ -14,9 +14,9 @@ public class LocalAuthor extends Author {
 	private final byte[] privateKey;
 	private final long created;
 
-	public LocalAuthor(AuthorId id, int formatVersion, String name,
-			byte[] publicKey, byte[] privateKey, long created) {
-		super(id, formatVersion, name, publicKey);
+	public LocalAuthor(AuthorId id, String name, byte[] publicKey,
+			byte[] privateKey, long created) {
+		super(id, name, publicKey);
 		this.privateKey = privateKey;
 		this.created = created;
 	}

bramble-api/src/main/java/org/briarproject/bramble/api/keyagreement/KeyAgreementConstants.java

@@ -3,9 +3,9 @@ package org.briarproject.bramble.api.keyagreement;
 public interface KeyAgreementConstants {
 
 	/**
-	 * The current version of the BQP protocol. Version number 89 is reserved.
+	 * The current version of the BQP protocol.
 	 */
-	byte PROTOCOL_VERSION = 4;
+	byte PROTOCOL_VERSION = 2;
 
 	/**
 	 * The length of the record header in bytes.
@@ -22,10 +22,7 @@ public interface KeyAgreementConstants {
 	 */
 	int COMMIT_LENGTH = 16;
 
-	/**
-	 * The connection timeout in milliseconds.
-	 */
-	long CONNECTION_TIMEOUT = 20 * 1000;
+	long CONNECTION_TIMEOUT = 20 * 1000; // Milliseconds
 
 	/**
 	 * The transport identifier for Bluetooth.
@@ -36,16 +33,4 @@ public interface KeyAgreementConstants {
 	 * The transport identifier for LAN.
 	 */
 	int TRANSPORT_ID_LAN = 1;
-
-	/**
-	 * Label for deriving the shared secret.
-	 */
-	String SHARED_SECRET_LABEL =
-			"org.briarproject.bramble.keyagreement/SHARED_SECRET";
-
-	/**
-	 * Label for deriving the master secret.
-	 */
-	String MASTER_SECRET_LABEL =
-			"org.briarproject.bramble.keyagreement/MASTER_SECRET";
 }

bramble-api/src/main/java/org/briarproject/bramble/api/keyagreement/KeyAgreementTaskFactory.java

@@ -0,0 +1,15 @@
+package org.briarproject.bramble.api.keyagreement;
+
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+/**
+ * Manages tasks for conducting key agreements with remote peers.
+ */
+@NotNullByDefault
+public interface KeyAgreementTaskFactory {
+
+	/**
+	 * Gets the current key agreement task.
+	 */
+	KeyAgreementTask createTask();
+}

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/TransportId.java

@@ -1,23 +1,22 @@
 package org.briarproject.bramble.api.plugin;
 
-import org.briarproject.bramble.util.StringUtils;
+import java.nio.charset.Charset;
 
 /**
- * Type-safe wrapper for a namespaced string that uniquely identifies a
- * transport plugin.
+ * Type-safe wrapper for a string that uniquely identifies a transport plugin.
  */
 public class TransportId {
 
 	/**
-	 * The maximum length of a transport identifier in UTF-8 bytes.
+	 * The maximum length of transport identifier in UTF-8 bytes.
 	 */
-	public static int MAX_TRANSPORT_ID_LENGTH = 100;
+	public static int MAX_TRANSPORT_ID_LENGTH = 64;
 
 	private final String id;
 
 	public TransportId(String id) {
-		int length = StringUtils.toUtf8(id).length;
-		if (length == 0 || length > MAX_TRANSPORT_ID_LENGTH)
+		byte[] b = id.getBytes(Charset.forName("UTF-8"));
+		if (b.length == 0 || b.length > MAX_TRANSPORT_ID_LENGTH)
 			throw new IllegalArgumentException();
 		this.id = id;
 	}

bramble-api/src/main/java/org/briarproject/bramble/api/properties/TransportPropertyManager.java

@@ -17,11 +17,6 @@ public interface TransportPropertyManager {
 	 */
 	ClientId CLIENT_ID = new ClientId("org.briarproject.briar.properties");
 
-	/**
-	 * The current version of the transport property client.
-	 */
-	int CLIENT_VERSION = 0;
-
 	/**
 	 * Stores the given properties received while adding a contact - they will
 	 * be superseded by any properties synced from the contact.

bramble-api/src/main/java/org/briarproject/bramble/api/sync/ClientId.java

@@ -1,29 +1,19 @@
 package org.briarproject.bramble.api.sync;
 
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.util.StringUtils;
 
 import javax.annotation.concurrent.Immutable;
 
 /**
- * Type-safe wrapper for a namespaced string that uniquely identifies a sync
- * client.
+ * Wrapper for a name-spaced string that uniquely identifies a sync client.
  */
 @Immutable
 @NotNullByDefault
 public class ClientId implements Comparable<ClientId> {
 
-	/**
-	 * The maximum length of a client identifier in UTF-8 bytes.
-	 */
-	public static int MAX_CLIENT_ID_LENGTH = 100;
-
 	private final String id;
 
 	public ClientId(String id) {
-		int length = StringUtils.toUtf8(id).length;
-		if (length == 0 || length > MAX_CLIENT_ID_LENGTH)
-			throw new IllegalArgumentException();
 		this.id = id;
 	}
 
@@ -46,8 +36,4 @@ public class ClientId implements Comparable<ClientId> {
 		return id.hashCode();
 	}
 
-	@Override
-	public String toString() {
-		return id;
-	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/Group.java

@@ -10,11 +10,6 @@ public class Group {
 		SHARED // The group is visible and messages are shared
 	}
 
-	/**
-	 * The current version of the group format.
-	 */
-	public static final int FORMAT_VERSION = 1;
-
 	private final GroupId id;
 	private final ClientId clientId;
 	private final byte[] descriptor;

bramble-api/src/main/java/org/briarproject/bramble/api/sync/GroupFactory.java

@@ -6,7 +6,7 @@ import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 public interface GroupFactory {
 
 	/**
-	 * Creates a group with the given client ID, client version and descriptor.
+	 * Creates a group with the given client ID and descriptor.
 	 */
-	Group createGroup(ClientId c, int clientVersion, byte[] descriptor);
+	Group createGroup(ClientId c, byte[] descriptor);
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/GroupId.java

@@ -15,7 +15,7 @@ public class GroupId extends UniqueId {
 	/**
 	 * Label for hashing groups to calculate their identifiers.
 	 */
-	public static final String LABEL = "org.briarproject.bramble/GROUP_ID";
+	public static final String LABEL = "org.briarproject.bramble.GROUP_ID";
 
 	public GroupId(byte[] id) {
 		super(id);

bramble-api/src/main/java/org/briarproject/bramble/api/sync/Message.java

@@ -5,11 +5,6 @@ import static org.briarproject.bramble.api.sync.SyncConstants.MESSAGE_HEADER_LEN
 
 public class Message {
 
-	/**
-	 * The current version of the message format.
-	 */
-	public static final int FORMAT_VERSION = 1;
-
 	private final MessageId id;
 	private final GroupId groupId;
 	private final long timestamp;

bramble-api/src/main/java/org/briarproject/bramble/api/sync/MessageId.java

@@ -16,13 +16,7 @@ public class MessageId extends UniqueId {
 	/**
 	 * Label for hashing messages to calculate their identifiers.
 	 */
-	public static final String ID_LABEL = "org.briarproject.bramble/MESSAGE_ID";
-
-	/**
-	 * Label for hashing blocks of messages.
-	 */
-	public static final String BLOCK_LABEL =
-			"org.briarproject.bramble/MESSAGE_BLOCK";
+	public static final String LABEL = "org.briarproject.bramble.MESSAGE_ID";
 
 	public MessageId(byte[] id) {
 		super(id);

bramble-api/src/main/java/org/briarproject/bramble/api/transport/KeyManager.java

@@ -6,8 +6,6 @@ import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
 import org.briarproject.bramble.api.plugin.TransportId;
 
-import java.util.Map;
-
 import javax.annotation.Nullable;
 
 /**
@@ -18,51 +16,13 @@ public interface KeyManager {
 
 	/**
 	 * Informs the key manager that a new contact has been added. Derives and
-	 * stores a set of transport keys for communicating with the contact over
-	 * each transport.
-	 * <p/>
+	 * stores transport keys for communicating with the contact.
 	 * {@link StreamContext StreamContexts} for the contact can be created
 	 * after this method has returned.
 	 */
 	void addContact(Transaction txn, ContactId c, SecretKey master,
 			long timestamp, boolean alice) throws DbException;
 
-	/**
-	 * Derives and stores a set of unbound transport keys for each transport
-	 * and returns the key set IDs.
-	 * <p/>
-	 * The keys must be bound before they can be used for incoming streams,
-	 * and also activated before they can be used for outgoing streams.
-	 */
-	Map<TransportId, KeySetId> addUnboundKeys(Transaction txn, SecretKey master,
-			long timestamp, boolean alice) throws DbException;
-
-	/**
-	 * Binds the given transport keys to the given contact.
-	 */
-	void bindKeys(Transaction txn, ContactId c, Map<TransportId, KeySetId> keys)
-			throws DbException;
-
-	/**
-	 * Marks the given transport keys as usable for outgoing streams. Keys must
-	 * be bound before they are activated.
-	 */
-	void activateKeys(Transaction txn, Map<TransportId, KeySetId> keys)
-			throws DbException;
-
-	/**
-	 * Removes the given transport keys, which must not have been bound, from
-	 * the manager and the database.
-	 */
-	void removeKeys(Transaction txn, Map<TransportId, KeySetId> keys)
-		throws DbException;
-
-	/**
-	 * Returns true if we have keys that can be used for outgoing streams to
-	 * the given contact over the given transport.
-	 */
-	boolean canSendOutgoingStreams(ContactId c, TransportId t);
-
 	/**
 	 * Returns a {@link StreamContext} for sending a stream to the given
 	 * contact over the given transport, or null if an error occurs or the

bramble-api/src/main/java/org/briarproject/bramble/api/transport/KeySet.java

@@ -1,51 +0,0 @@
-package org.briarproject.bramble.api.transport;
-
-import org.briarproject.bramble.api.contact.ContactId;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import javax.annotation.Nullable;
-import javax.annotation.concurrent.Immutable;
-
-/**
- * A set of transport keys for communicating with a contact. If the keys have
- * not yet been bound to a contact, {@link #getContactId()}} returns null.
- */
-@Immutable
-@NotNullByDefault
-public class KeySet {
-
-	private final KeySetId keySetId;
-	@Nullable
-	private final ContactId contactId;
-	private final TransportKeys transportKeys;
-
-	public KeySet(KeySetId keySetId, @Nullable ContactId contactId,
-			TransportKeys transportKeys) {
-		this.keySetId = keySetId;
-		this.contactId = contactId;
-		this.transportKeys = transportKeys;
-	}
-
-	public KeySetId getKeySetId() {
-		return keySetId;
-	}
-
-	@Nullable
-	public ContactId getContactId() {
-		return contactId;
-	}
-
-	public TransportKeys getTransportKeys() {
-		return transportKeys;
-	}
-
-	@Override
-	public int hashCode() {
-		return keySetId.hashCode();
-	}
-
-	@Override
-	public boolean equals(Object o) {
-		return o instanceof KeySet && keySetId.equals(((KeySet) o).keySetId);
-	}
-}

bramble-api/src/main/java/org/briarproject/bramble/api/transport/KeySetId.java

@@ -1,36 +0,0 @@
-package org.briarproject.bramble.api.transport;
-
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import javax.annotation.concurrent.Immutable;
-
-/**
- * Type-safe wrapper for an integer that uniquely identifies a set of transport
- * keys within the scope of the local device.
- * <p/>
- * Key sets created on a given device must have increasing identifiers.
- */
-@Immutable
-@NotNullByDefault
-public class KeySetId {
-
-	private final int id;
-
-	public KeySetId(int id) {
-		this.id = id;
-	}
-
-	public int getInt() {
-		return id;
-	}
-
-	@Override
-	public int hashCode() {
-		return id;
-	}
-
-	@Override
-	public boolean equals(Object o) {
-		return o instanceof KeySetId && id == ((KeySetId) o).id;
-	}
-}

bramble-api/src/main/java/org/briarproject/bramble/api/transport/OutgoingKeys.java

@@ -10,20 +10,18 @@ public class OutgoingKeys {
 
 	private final SecretKey tagKey, headerKey;
 	private final long rotationPeriod, streamCounter;
-	private final boolean active;
 
 	public OutgoingKeys(SecretKey tagKey, SecretKey headerKey,
-			long rotationPeriod, boolean active) {
-		this(tagKey, headerKey, rotationPeriod, 0, active);
+			long rotationPeriod) {
+		this(tagKey, headerKey, rotationPeriod, 0);
 	}
 
 	public OutgoingKeys(SecretKey tagKey, SecretKey headerKey,
-			long rotationPeriod, long streamCounter, boolean active) {
+			long rotationPeriod, long streamCounter) {
 		this.tagKey = tagKey;
 		this.headerKey = headerKey;
 		this.rotationPeriod = rotationPeriod;
 		this.streamCounter = streamCounter;
-		this.active = active;
 	}
 
 	public SecretKey getTagKey() {
@@ -41,8 +39,4 @@ public class OutgoingKeys {
 	public long getStreamCounter() {
 		return streamCounter;
 	}
-
-	public boolean isActive() {
-		return active;
-	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/transport/TransportConstants.java

@@ -7,7 +7,7 @@ public interface TransportConstants {
 	/**
 	 * The current version of the transport protocol.
 	 */
-	int PROTOCOL_VERSION = 4;
+	int PROTOCOL_VERSION = 3;
 
 	/**
 	 * The length of the pseudo-random tag in bytes.
@@ -80,32 +80,4 @@ public interface TransportConstants {
 	 * The size of the reordering window.
 	 */
 	int REORDERING_WINDOW_SIZE = 32;
-
-	/**
-	 * Label for deriving Alice's initial tag key from the master secret.
-	 */
-	String ALICE_TAG_LABEL = "org.briarproject.bramble.transport/ALICE_TAG_KEY";
-
-	/**
-	 * Label for deriving Bob's initial tag key from the master secret.
-	 */
-	String BOB_TAG_LABEL = "org.briarproject.bramble.transport/BOB_TAG_KEY";
-
-	/**
-	 * Label for deriving Alice's initial header key from the master secret.
-	 */
-	String ALICE_HEADER_LABEL =
-			"org.briarproject.bramble.transport/ALICE_HEADER_KEY";
-
-	/**
-	 * Label for deriving Bob's initial header key from the master secret.
-	 */
-	String BOB_HEADER_LABEL =
-			"org.briarproject.bramble.transport/BOB_HEADER_KEY";
-
-	/**
-	 * Label for deriving the next period's key in key rotation.
-	 */
-	String ROTATE_LABEL = "org.briarproject.bramble.transport/ROTATE";
-
 }

bramble-api/src/test/java/org/briarproject/bramble/test/TestUtils.java

@@ -5,8 +5,6 @@ import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.api.identity.Author;
 import org.briarproject.bramble.api.identity.AuthorId;
 import org.briarproject.bramble.api.identity.LocalAuthor;
-import org.briarproject.bramble.api.plugin.TransportId;
-import org.briarproject.bramble.api.properties.TransportProperties;
 import org.briarproject.bramble.api.sync.ClientId;
 import org.briarproject.bramble.api.sync.Group;
 import org.briarproject.bramble.api.sync.GroupId;
@@ -15,21 +13,11 @@ import org.briarproject.bramble.api.sync.MessageId;
 import org.briarproject.bramble.util.IoUtils;
 
 import java.io.File;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
 
-import static org.briarproject.bramble.api.identity.Author.FORMAT_VERSION;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
-import static org.briarproject.bramble.api.plugin.TransportId.MAX_TRANSPORT_ID_LENGTH;
-import static org.briarproject.bramble.api.properties.TransportPropertyConstants.MAX_PROPERTY_LENGTH;
-import static org.briarproject.bramble.api.sync.ClientId.MAX_CLIENT_ID_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MAX_GROUP_DESCRIPTOR_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MAX_MESSAGE_BODY_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MESSAGE_HEADER_LENGTH;
@@ -61,33 +49,6 @@ public class TestUtils {
 		return getRandomBytes(UniqueId.LENGTH);
 	}
 
-	public static ClientId getClientId() {
-		return new ClientId(getRandomString(MAX_CLIENT_ID_LENGTH));
-	}
-
-	public static TransportId getTransportId() {
-		return new TransportId(getRandomString(MAX_TRANSPORT_ID_LENGTH));
-	}
-
-	public static TransportProperties getTransportProperties(int number) {
-		TransportProperties tp = new TransportProperties();
-		for (int i = 0; i < number; i++) {
-			tp.put(getRandomString(1 + random.nextInt(MAX_PROPERTY_LENGTH)),
-					getRandomString(1 + random.nextInt(MAX_PROPERTY_LENGTH))
-			);
-		}
-		return tp;
-	}
-
-	public static Map<TransportId, TransportProperties> getTransportPropertiesMap(
-			int number) {
-		Map<TransportId, TransportProperties> map = new HashMap<>();
-		for (int i = 0; i < number; i++) {
-			map.put(getTransportId(), getTransportProperties(number));
-		}
-		return map;
-	}
-
 	public static SecretKey getSecretKey() {
 		return new SecretKey(getRandomBytes(SecretKey.LENGTH));
 	}
@@ -102,8 +63,7 @@ public class TestUtils {
 		byte[] publicKey = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
 		byte[] privateKey = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
 		long created = System.currentTimeMillis();
-		return new LocalAuthor(id, FORMAT_VERSION, name, publicKey, privateKey,
-				created);
+		return new LocalAuthor(id, name, publicKey, privateKey, created);
 	}
 
 	public static Author getAuthor() {
@@ -114,7 +74,7 @@ public class TestUtils {
 		AuthorId id = new AuthorId(getRandomId());
 		String name = getRandomString(nameLength);
 		byte[] publicKey = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
-		return new Author(id, FORMAT_VERSION, name, publicKey);
+		return new Author(id, name, publicKey);
 	}
 
 	public static Group getGroup(ClientId clientId) {
@@ -139,38 +99,4 @@ public class TestUtils {
 		long timestamp = System.currentTimeMillis();
 		return new Message(id, groupId, timestamp, raw);
 	}
-
-	public static double getMedian(Collection<? extends Number> samples) {
-		int size = samples.size();
-		if (size == 0) throw new IllegalArgumentException();
-		List<Double> sorted = new ArrayList<>(size);
-		for (Number n : samples) sorted.add(n.doubleValue());
-		Collections.sort(sorted);
-		if (size % 2 == 1) return sorted.get(size / 2);
-		double low = sorted.get(size / 2 - 1), high = sorted.get(size / 2);
-		return (low + high) / 2;
-	}
-
-	public static double getMean(Collection<? extends Number> samples) {
-		if (samples.isEmpty()) throw new IllegalArgumentException();
-		double sum = 0;
-		for (Number n : samples) sum += n.doubleValue();
-		return sum / samples.size();
-	}
-
-	public static double getVariance(Collection<? extends Number> samples) {
-		if (samples.size() < 2) throw new IllegalArgumentException();
-		double mean = getMean(samples);
-		double sumSquareDiff = 0;
-		for (Number n : samples) {
-			double diff = n.doubleValue() - mean;
-			sumSquareDiff += diff * diff;
-		}
-		return sumSquareDiff / (samples.size() - 1);
-	}
-
-	public static double getStandardDeviation(
-			Collection<? extends Number> samples) {
-		return Math.sqrt(getVariance(samples));
-	}
 }

bramble-core/build.gradle

@@ -9,15 +9,12 @@ apply plugin: 'witness'
 dependencies {
 	implementation project(path: ':bramble-api', configuration: 'default')
 	implementation 'com.madgag.spongycastle:core:1.58.0.0'
-	implementation 'com.h2database:h2:1.4.192' // The last version that supports Java 1.6
+	implementation 'com.h2database:h2:1.4.192' // This is the last version that supports Java 1.6
 	implementation 'org.bitlet:weupnp:0.1.4'
-	implementation 'net.i2p.crypto:eddsa:0.2.0'
-	implementation 'org.whispersystems:curve25519-java:0.4.1'
 
 	apt 'com.google.dagger:dagger-compiler:2.0.2'
 
 	testImplementation project(path: ':bramble-api', configuration: 'testOutput')
-	testImplementation 'org.hsqldb:hsqldb:2.3.5' // The last version that supports Java 1.6
 	testImplementation 'junit:junit:4.12'
 	testImplementation "org.jmock:jmock:2.8.2"
 	testImplementation "org.jmock:jmock-junit4:2.8.2"
@@ -40,21 +37,18 @@ dependencyVerification {
 			'com.madgag.spongycastle:core:1.58.0.0:core-1.58.0.0.jar:199617dd5698c5a9312b898c0a4cec7ce9dd8649d07f65d91629f58229d72728',
 			'javax.inject:javax.inject:1:javax.inject-1.jar:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff',
 			'junit:junit:4.12:junit-4.12.jar:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a',
-			'net.i2p.crypto:eddsa:0.2.0:eddsa-0.2.0.jar:a7cb1b85c16e2f0730b9204106929a1d9aaae1df728adc7041a8b8b605692140',
 			'org.apache.ant:ant-launcher:1.9.4:ant-launcher-1.9.4.jar:7bccea20b41801ca17bcbc909a78c835d0f443f12d639c77bd6ae3d05861608d',
 			'org.apache.ant:ant:1.9.4:ant-1.9.4.jar:649ae0730251de07b8913f49286d46bba7b92d47c5f332610aa426c4f02161d8',
 			'org.beanshell:bsh:1.3.0:bsh-1.3.0.jar:9b04edc75d19db54f1b4e8b5355e9364384c6cf71eb0a1b9724c159d779879f8',
 			'org.bitlet:weupnp:0.1.4:weupnp-0.1.4.jar:88df7e6504929d00bdb832863761385c68ab92af945b04f0770b126270a444fb',
 			'org.hamcrest:hamcrest-core:1.3:hamcrest-core-1.3.jar:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9',
 			'org.hamcrest:hamcrest-library:1.3:hamcrest-library-1.3.jar:711d64522f9ec410983bd310934296da134be4254a125080a0416ec178dfad1c',
-			'org.hsqldb:hsqldb:2.3.5:hsqldb-2.3.5.jar:6676a6977ac98997a80f827ddbd3fe8ca1e0853dad1492512135fd1a222ccfad',
 			'org.jmock:jmock-junit4:2.8.2:jmock-junit4-2.8.2.jar:f7ee4df4f7bd7b7f1cafad3b99eb74d579f109d5992ff625347352edb55e674c',
 			'org.jmock:jmock-legacy:2.8.2:jmock-legacy-2.8.2.jar:f2b985a5c08a9edb7f37612330c058809da3f6a6d63ce792426ebf8ff0d6d31b',
 			'org.jmock:jmock-testjar:2.8.2:jmock-testjar-2.8.2.jar:8900860f72c474e027cf97fe78dcbf154a1aa7fc62b6845c5fb4e4f3c7bc8760',
 			'org.jmock:jmock:2.8.2:jmock-2.8.2.jar:6c73cb4a2e6dbfb61fd99c9a768539c170ab6568e57846bd60dbf19596b65b16',
 			'org.objenesis:objenesis:2.1:objenesis-2.1.jar:c74330cc6b806c804fd37e74487b4fe5d7c2750c5e15fbc6efa13bdee1bdef80',
 			'org.ow2.asm:asm:5.0.4:asm-5.0.4.jar:896618ed8ae62702521a78bc7be42b7c491a08e6920a15f89a3ecdec31e9a220',
-			'org.whispersystems:curve25519-java:0.4.1:curve25519-java-0.4.1.jar:7dd659d8822c06c3aea1a47f18fac9e5761e29cab8100030b877db445005f03e',
 	]
 }
 

bramble-core/src/main/java/org/briarproject/bramble/client/ClientHelperImpl.java

@@ -15,11 +15,7 @@ import org.briarproject.bramble.api.db.DatabaseComponent;
 import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Metadata;
 import org.briarproject.bramble.api.db.Transaction;
-import org.briarproject.bramble.api.identity.Author;
-import org.briarproject.bramble.api.identity.AuthorFactory;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.plugin.TransportId;
-import org.briarproject.bramble.api.properties.TransportProperties;
 import org.briarproject.bramble.api.sync.GroupId;
 import org.briarproject.bramble.api.sync.Message;
 import org.briarproject.bramble.api.sync.MessageFactory;
@@ -36,14 +32,7 @@ import java.util.Map.Entry;
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
 
-import static org.briarproject.bramble.api.identity.Author.FORMAT_VERSION;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
-import static org.briarproject.bramble.api.properties.TransportPropertyConstants.MAX_PROPERTIES_PER_TRANSPORT;
-import static org.briarproject.bramble.api.properties.TransportPropertyConstants.MAX_PROPERTY_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MESSAGE_HEADER_LENGTH;
-import static org.briarproject.bramble.util.ValidationUtils.checkLength;
-import static org.briarproject.bramble.util.ValidationUtils.checkSize;
 
 @Immutable
 @NotNullByDefault
@@ -62,14 +51,12 @@ class ClientHelperImpl implements ClientHelper {
 	private final MetadataParser metadataParser;
 	private final MetadataEncoder metadataEncoder;
 	private final CryptoComponent crypto;
-	private final AuthorFactory authorFactory;
 
 	@Inject
 	ClientHelperImpl(DatabaseComponent db, MessageFactory messageFactory,
 			BdfReaderFactory bdfReaderFactory,
 			BdfWriterFactory bdfWriterFactory, MetadataParser metadataParser,
-			MetadataEncoder metadataEncoder, CryptoComponent crypto,
-			AuthorFactory authorFactory) {
+			MetadataEncoder metadataEncoder, CryptoComponent crypto) {
 		this.db = db;
 		this.messageFactory = messageFactory;
 		this.bdfReaderFactory = bdfReaderFactory;
@@ -77,7 +64,6 @@ class ClientHelperImpl implements ClientHelper {
 		this.metadataParser = metadataParser;
 		this.metadataEncoder = metadataEncoder;
 		this.crypto = crypto;
-		this.authorFactory = authorFactory;
 	}
 
 	@Override
@@ -328,20 +314,6 @@ class ClientHelperImpl implements ClientHelper {
 		}
 	}
 
-	@Override
-	public BdfDictionary toDictionary(TransportProperties transportProperties) {
-		return new BdfDictionary(transportProperties);
-	}
-
-	@Override
-	public BdfDictionary toDictionary(
-			Map<TransportId, TransportProperties> map) {
-		BdfDictionary d = new BdfDictionary();
-		for (Entry<TransportId, TransportProperties> e : map.entrySet())
-			d.put(e.getKey().getString(), new BdfDictionary(e.getValue()));
-		return d;
-	}
-
 	@Override
 	public BdfList toList(byte[] b, int off, int len) throws FormatException {
 		ByteArrayInputStream in = new ByteArrayInputStream(b, off, len);
@@ -369,11 +341,6 @@ class ClientHelperImpl implements ClientHelper {
 				raw.length - MESSAGE_HEADER_LENGTH);
 	}
 
-	@Override
-	public BdfList toList(Author a) {
-		return BdfList.of(a.getFormatVersion(), a.getName(), a.getPublicKey());
-	}
-
 	@Override
 	public byte[] sign(String label, BdfList toSign, byte[] privateKey)
 			throws FormatException, GeneralSecurityException {
@@ -381,53 +348,11 @@ class ClientHelperImpl implements ClientHelper {
 	}
 
 	@Override
-	public void verifySignature(byte[] signature, String label, BdfList signed,
-			byte[] publicKey) throws FormatException, GeneralSecurityException {
-		if (!crypto.verifySignature(signature, label, toByteArray(signed),
-				publicKey)) {
+	public void verifySignature(String label, byte[] sig, byte[] publicKey,
+			BdfList signed) throws FormatException, GeneralSecurityException {
+		if (!crypto.verify(label, toByteArray(signed), publicKey, sig)) {
 			throw new GeneralSecurityException("Invalid signature");
 		}
 	}
 
-	@Override
-	public Author parseAndValidateAuthor(BdfList author)
-			throws FormatException {
-		checkSize(author, 3);
-		int formatVersion = author.getLong(0).intValue();
-		if (formatVersion != FORMAT_VERSION) throw new FormatException();
-		String name = author.getString(1);
-		checkLength(name, 1, MAX_AUTHOR_NAME_LENGTH);
-		byte[] publicKey = author.getRaw(2);
-		checkLength(publicKey, 1, MAX_PUBLIC_KEY_LENGTH);
-		return authorFactory.createAuthor(formatVersion, name, publicKey);
-	}
-
-	@Override
-	public TransportProperties parseAndValidateTransportProperties(
-			BdfDictionary properties) throws FormatException {
-		checkSize(properties, 0, MAX_PROPERTIES_PER_TRANSPORT);
-		TransportProperties p = new TransportProperties();
-		for (String key : properties.keySet()) {
-			checkLength(key, 1, MAX_PROPERTY_LENGTH);
-			String value = properties.getString(key);
-			checkLength(value, 1, MAX_PROPERTY_LENGTH);
-			p.put(key, value);
-		}
-		return p;
-	}
-
-	@Override
-	public Map<TransportId, TransportProperties> parseAndValidateTransportPropertiesMap(
-			BdfDictionary properties) throws FormatException {
-		Map<TransportId, TransportProperties> tpMap = new HashMap<>();
-		for (String key : properties.keySet()) {
-			TransportId transportId = new TransportId(key);
-			TransportProperties transportProperties =
-					parseAndValidateTransportProperties(
-							properties.getDictionary(key));
-			tpMap.put(transportId, transportProperties);
-		}
-		return tpMap;
-	}
-
 }

bramble-core/src/main/java/org/briarproject/bramble/client/ClientModule.java

@@ -2,6 +2,14 @@ package org.briarproject.bramble.client;
 
 import org.briarproject.bramble.api.client.ClientHelper;
 import org.briarproject.bramble.api.client.ContactGroupFactory;
+import org.briarproject.bramble.api.crypto.CryptoComponent;
+import org.briarproject.bramble.api.data.BdfReaderFactory;
+import org.briarproject.bramble.api.data.BdfWriterFactory;
+import org.briarproject.bramble.api.data.MetadataEncoder;
+import org.briarproject.bramble.api.data.MetadataParser;
+import org.briarproject.bramble.api.db.DatabaseComponent;
+import org.briarproject.bramble.api.sync.GroupFactory;
+import org.briarproject.bramble.api.sync.MessageFactory;
 
 import dagger.Module;
 import dagger.Provides;
@@ -10,14 +18,19 @@ import dagger.Provides;
 public class ClientModule {
 
 	@Provides
-	ClientHelper provideClientHelper(ClientHelperImpl clientHelper) {
-		return clientHelper;
+	ClientHelper provideClientHelper(DatabaseComponent db,
+			MessageFactory messageFactory, BdfReaderFactory bdfReaderFactory,
+			BdfWriterFactory bdfWriterFactory, MetadataParser metadataParser,
+			MetadataEncoder metadataEncoder, CryptoComponent cryptoComponent) {
+		return new ClientHelperImpl(db, messageFactory, bdfReaderFactory,
+				bdfWriterFactory, metadataParser, metadataEncoder,
+				cryptoComponent);
 	}
 
 	@Provides
-	ContactGroupFactory provideContactGroupFactory(
-			ContactGroupFactoryImpl contactGroupFactory) {
-		return contactGroupFactory;
+	ContactGroupFactory provideContactGroupFactory(GroupFactory groupFactory,
+			ClientHelper clientHelper) {
+		return new ContactGroupFactoryImpl(groupFactory, clientHelper);
 	}
 
 }

bramble-core/src/main/java/org/briarproject/bramble/client/ContactGroupFactoryImpl.java

@@ -32,25 +32,23 @@ class ContactGroupFactoryImpl implements ContactGroupFactory {
 	}
 
 	@Override
-	public Group createLocalGroup(ClientId clientId, int clientVersion) {
-		return groupFactory.createGroup(clientId, clientVersion,
-				LOCAL_GROUP_DESCRIPTOR);
+	public Group createLocalGroup(ClientId clientId) {
+		return groupFactory.createGroup(clientId, LOCAL_GROUP_DESCRIPTOR);
 	}
 
 	@Override
-	public Group createContactGroup(ClientId clientId, int clientVersion,
-			Contact contact) {
+	public Group createContactGroup(ClientId clientId, Contact contact) {
 		AuthorId local = contact.getLocalAuthorId();
 		AuthorId remote = contact.getAuthor().getId();
 		byte[] descriptor = createGroupDescriptor(local, remote);
-		return groupFactory.createGroup(clientId, clientVersion, descriptor);
+		return groupFactory.createGroup(clientId, descriptor);
 	}
 
 	@Override
-	public Group createContactGroup(ClientId clientId, int clientVersion,
-			AuthorId authorId1, AuthorId authorId2) {
+	public Group createContactGroup(ClientId clientId, AuthorId authorId1,
+			AuthorId authorId2) {
 		byte[] descriptor = createGroupDescriptor(authorId1, authorId2);
-		return groupFactory.createGroup(clientId, clientVersion, descriptor);
+		return groupFactory.createGroup(clientId, descriptor);
 	}
 
 	private byte[] createGroupDescriptor(AuthorId local, AuthorId remote) {

bramble-core/src/main/java/org/briarproject/bramble/contact/ContactExchangeTaskImpl.java

@@ -43,7 +43,6 @@ import javax.inject.Inject;
 
 import static java.util.logging.Level.INFO;
 import static java.util.logging.Level.WARNING;
-import static org.briarproject.bramble.api.identity.Author.FORMAT_VERSION;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
@@ -142,10 +141,8 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 		}
 
 		// Derive the header keys for the transport streams
-		SecretKey aliceHeaderKey = crypto.deriveKey(ALICE_KEY_LABEL,
-				masterSecret, new byte[] {PROTOCOL_VERSION});
-		SecretKey bobHeaderKey = crypto.deriveKey(BOB_KEY_LABEL, masterSecret,
-				new byte[] {PROTOCOL_VERSION});
+		SecretKey aliceHeaderKey = crypto.deriveHeaderKey(masterSecret, true);
+		SecretKey bobHeaderKey = crypto.deriveHeaderKey(masterSecret, false);
 
 		// Create the readers
 		InputStream streamReader =
@@ -159,10 +156,8 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 		BdfWriter w = bdfWriterFactory.createWriter(streamWriter);
 
 		// Derive the nonces to be signed
-		byte[] aliceNonce = crypto.mac(ALICE_NONCE_LABEL, masterSecret,
-				new byte[] {PROTOCOL_VERSION});
-		byte[] bobNonce = crypto.mac(BOB_NONCE_LABEL, masterSecret,
-				new byte[] {PROTOCOL_VERSION});
+		byte[] aliceNonce = crypto.deriveSignatureNonce(masterSecret, true);
+		byte[] bobNonce = crypto.deriveSignatureNonce(masterSecret, false);
 
 		// Exchange pseudonyms, signed nonces, and timestamps
 		long localTimestamp = clock.currentTimeMillis();
@@ -201,8 +196,8 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 
 		try {
 			// Add the contact
-			ContactId contactId = addContact(remoteAuthor, timestamp,
-					remoteProperties);
+			ContactId contactId = addContact(remoteAuthor, masterSecret,
+					timestamp, alice, remoteProperties);
 			// Reuse the connection as a transport connection
 			connectionManager.manageOutgoingConnection(contactId, transportId,
 					conn);
@@ -228,7 +223,6 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 
 		// Write the name, public key and signature
 		w.writeListStart();
-		w.writeLong(localAuthor.getFormatVersion());
 		w.writeString(localAuthor.getName());
 		w.writeRaw(localAuthor.getPublicKey());
 		w.writeRaw(sig);
@@ -238,26 +232,20 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 
 	private Author receivePseudonym(BdfReader r, byte[] nonce)
 			throws GeneralSecurityException, IOException {
-		// Read the format version, name, public key and signature
+		// Read the name, public key and signature
 		r.readListStart();
-		int formatVersion = (int) r.readLong();
-		if (formatVersion != FORMAT_VERSION) throw new FormatException();
 		String name = r.readString(MAX_AUTHOR_NAME_LENGTH);
-		if (name.isEmpty()) throw new FormatException();
 		byte[] publicKey = r.readRaw(MAX_PUBLIC_KEY_LENGTH);
-		if (publicKey.length == 0) throw new FormatException();
 		byte[] sig = r.readRaw(MAX_SIGNATURE_LENGTH);
-		if (sig.length == 0) throw new FormatException();
 		r.readListEnd();
 		LOG.info("Received pseudonym");
 		// Verify the signature
-		if (!crypto.verifySignature(sig, SIGNING_LABEL_EXCHANGE, nonce,
-				publicKey)) {
+		if (!crypto.verify(SIGNING_LABEL_EXCHANGE, nonce, publicKey, sig)) {
 			if (LOG.isLoggable(INFO))
 				LOG.info("Invalid signature");
 			throw new GeneralSecurityException();
 		}
-		return authorFactory.createAuthor(formatVersion, name, publicKey);
+		return authorFactory.createAuthor(name, publicKey);
 	}
 
 	private void sendTimestamp(BdfWriter w, long timestamp)
@@ -306,15 +294,15 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 		return remote;
 	}
 
-	private ContactId addContact(Author remoteAuthor, long timestamp,
+	private ContactId addContact(Author remoteAuthor, SecretKey master,
+			long timestamp, boolean alice,
 			Map<TransportId, TransportProperties> remoteProperties)
 			throws DbException {
 		ContactId contactId;
 		Transaction txn = db.startTransaction(false);
 		try {
 			contactId = contactManager.addContact(txn, remoteAuthor,
-					localAuthor.getId(), masterSecret, timestamp, alice,
-					true, true);
+					localAuthor.getId(), master, timestamp, alice, true, true);
 			transportPropertyManager.addRemoteProperties(txn, contactId,
 					remoteProperties);
 			db.commitTransaction(txn);
@@ -324,7 +312,8 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 		return contactId;
 	}
 
-	private void tryToClose(DuplexTransportConnection conn, boolean exception) {
+	private void tryToClose(DuplexTransportConnection conn,
+			boolean exception) {
 		try {
 			LOG.info("Closing connection");
 			conn.getReader().dispose(exception, true);

bramble-core/src/main/java/org/briarproject/bramble/contact/ContactManagerImpl.java

@@ -27,37 +27,36 @@ class ContactManagerImpl implements ContactManager {
 
 	private final DatabaseComponent db;
 	private final KeyManager keyManager;
-	private final List<ContactHook> hooks;
+	private final List<AddContactHook> addHooks;
+	private final List<RemoveContactHook> removeHooks;
 
 	@Inject
 	ContactManagerImpl(DatabaseComponent db, KeyManager keyManager) {
 		this.db = db;
 		this.keyManager = keyManager;
-		hooks = new CopyOnWriteArrayList<>();
+		addHooks = new CopyOnWriteArrayList<>();
+		removeHooks = new CopyOnWriteArrayList<>();
 	}
 
 	@Override
-	public void registerContactHook(ContactHook hook) {
-		hooks.add(hook);
+	public void registerAddContactHook(AddContactHook hook) {
+		addHooks.add(hook);
+	}
+
+	@Override
+	public void registerRemoveContactHook(RemoveContactHook hook) {
+		removeHooks.add(hook);
 	}
 
 	@Override
 	public ContactId addContact(Transaction txn, Author remote, AuthorId local,
-			SecretKey master, long timestamp, boolean alice, boolean verified,
+			SecretKey master,long timestamp, boolean alice, boolean verified,
 			boolean active) throws DbException {
 		ContactId c = db.addContact(txn, remote, local, verified, active);
 		keyManager.addContact(txn, c, master, timestamp, alice);
 		Contact contact = db.getContact(txn, c);
-		for (ContactHook hook : hooks) hook.addingContact(txn, contact);
-		return c;
-	}
-
-	@Override
-	public ContactId addContact(Transaction txn, Author remote, AuthorId local,
-			boolean verified, boolean active) throws DbException {
-		ContactId c = db.addContact(txn, remote, local, verified, active);
-		Contact contact = db.getContact(txn, c);
-		for (ContactHook hook : hooks) hook.addingContact(txn, contact);
+		for (AddContactHook hook : addHooks)
+			hook.addingContact(txn, contact);
 		return c;
 	}
 
@@ -157,7 +156,7 @@ class ContactManagerImpl implements ContactManager {
 	@Override
 	public boolean contactExists(AuthorId remoteAuthorId,
 			AuthorId localAuthorId) throws DbException {
-		boolean exists;
+		boolean exists = false;
 		Transaction txn = db.startTransaction(true);
 		try {
 			exists = contactExists(txn, remoteAuthorId, localAuthorId);
@@ -172,7 +171,8 @@ class ContactManagerImpl implements ContactManager {
 	public void removeContact(Transaction txn, ContactId c)
 			throws DbException {
 		Contact contact = db.getContact(txn, c);
-		for (ContactHook hook : hooks) hook.removingContact(txn, contact);
+		for (RemoveContactHook hook : removeHooks)
+			hook.removingContact(txn, contact);
 		db.removeContact(txn, c);
 	}
 

bramble-core/src/main/java/org/briarproject/bramble/crypto/Blake2sDigest.java

@@ -0,0 +1,547 @@
+package org.briarproject.bramble.crypto;
+
+/*
+  The BLAKE2 cryptographic hash function was designed by Jean-
+  Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
+  Winnerlein.
+
+  Reference Implementation and Description can be found at: https://blake2.net/
+  RFC: https://tools.ietf.org/html/rfc7693
+
+  This implementation does not support the Tree Hashing Mode.
+
+  For unkeyed hashing, developers adapting BLAKE2 to ASN.1 - based
+  message formats SHOULD use the OID tree at x = 1.3.6.1.4.1.1722.12.2.
+
+         Algorithm     | Target | Collision | Hash | Hash ASN.1 |
+            Identifier |  Arch  |  Security |  nn  | OID Suffix |
+        ---------------+--------+-----------+------+------------+
+         id-blake2s128 | 32-bit |   2**64   |  16  |   x.2.4    |
+         id-blake2s160 | 32-bit |   2**80   |  20  |   x.2.5    |
+         id-blake2s224 | 32-bit |   2**112  |  28  |   x.2.7    |
+         id-blake2s256 | 32-bit |   2**128  |  32  |   x.2.8    |
+        ---------------+--------+-----------+------+------------+
+
+  Based on the BouncyCastle implementation of BLAKE2b. License:
+
+  Copyright (c) 2000 - 2015 The Legion of the Bouncy Castle Inc.
+  (http://www.bouncycastle.org)
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+  SOFTWARE.
+ */
+
+import org.spongycastle.crypto.ExtendedDigest;
+import org.spongycastle.util.Arrays;
+
+/**
+ * Implementation of the cryptographic hash function BLAKE2s.
+ * <p/>
+ * BLAKE2s offers a built-in keying mechanism to be used directly
+ * for authentication ("Prefix-MAC") rather than a HMAC construction.
+ * <p/>
+ * BLAKE2s offers a built-in support for a salt for randomized hashing
+ * and a personal string for defining a unique hash function for each application.
+ * <p/>
+ * BLAKE2s is optimized for 32-bit platforms and produces digests of any size
+ * between 1 and 32 bytes.
+ */
+public class Blake2sDigest implements ExtendedDigest {
+	/** BLAKE2s Initialization Vector **/
+	private static final int blake2s_IV[] =
+			// Produced from the square root of primes 2, 3, 5, 7, 11, 13, 17, 19.
+			// The same as SHA-256 IV.
+			{
+					0x6a09e667, 0xbb67ae85, 0x3c6ef372,
+					0xa54ff53a, 0x510e527f, 0x9b05688c,
+					0x1f83d9ab, 0x5be0cd19
+			};
+
+	/** Message word permutations **/
+	private static final byte[][] blake2s_sigma =
+			{
+					{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+					{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+					{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+					{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+					{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+					{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+					{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+					{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+					{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+					{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
+			};
+
+	private static final int ROUNDS = 10; // to use for Catenas H'
+	private static final int BLOCK_LENGTH_BYTES = 64;// bytes
+
+	// General parameters:
+	private int digestLength = 32; // 1- 32 bytes
+	private int keyLength = 0; // 0 - 32 bytes for keyed hashing for MAC
+	private byte[] salt = null;
+	private byte[] personalization = null;
+	private byte[] key = null;
+
+	// Tree hashing parameters:
+	// Because this class does not implement the Tree Hashing Mode,
+	// these parameters can be treated as constants (see init() function)
+	/*
+	 * private int fanout = 1; // 0-255
+	 * private int depth = 1; // 1 - 255
+	 * private int leafLength= 0;
+	 * private long nodeOffset = 0L;
+	 * private int nodeDepth = 0;
+	 * private int innerHashLength = 0;
+	 */
+
+	/**
+	 * Whenever this buffer overflows, it will be processed in the compress()
+	 * function. For performance issues, long messages will not use this buffer.
+	 */
+	private byte[] buffer = null;
+	/** Position of last inserted byte **/
+	private int bufferPos = 0;// a value from 0 up to BLOCK_LENGTH_BYTES
+
+	/** Internal state, in the BLAKE2 paper it is called v **/
+	private int[] internalState = new int[16];
+	/** State vector, in the BLAKE2 paper it is called h **/
+	private int[] chainValue = null;
+
+	// counter (counts bytes): Length up to 2^64 are supported
+	/** holds least significant bits of counter **/
+	private int t0 = 0;
+	/** holds most significant bits of counter **/
+	private int t1 = 0;
+	/** finalization flag, for last block: ~0 **/
+	private int f0 = 0;
+
+	// For Tree Hashing Mode, not used here:
+	// private long f1 = 0L; // finalization flag, for last node: ~0L
+
+	/**
+	 * BLAKE2s-256 for hashing.
+	 */
+	public Blake2sDigest() {
+		this(256);
+	}
+
+	public Blake2sDigest(Blake2sDigest digest) {
+		this.bufferPos = digest.bufferPos;
+		this.buffer = Arrays.clone(digest.buffer);
+		this.keyLength = digest.keyLength;
+		this.key = Arrays.clone(digest.key);
+		this.digestLength = digest.digestLength;
+		this.chainValue = Arrays.clone(digest.chainValue);
+		this.personalization = Arrays.clone(digest.personalization);
+	}
+
+	/**
+	 * BLAKE2s for hashing.
+	 *
+	 * @param digestBits the desired digest length in bits. Must be one of
+	 *                     [128, 160, 224, 256].
+	 */
+	public Blake2sDigest(int digestBits) {
+		if (digestBits != 128 && digestBits != 160 &&
+				digestBits != 224 && digestBits != 256) {
+			throw new IllegalArgumentException(
+					"BLAKE2s digest restricted to one of [128, 160, 224, 256]");
+		}
+		buffer = new byte[BLOCK_LENGTH_BYTES];
+		keyLength = 0;
+		digestLength = digestBits / 8;
+		init();
+	}
+
+	/**
+	 * BLAKE2s for authentication ("Prefix-MAC mode").
+	 * <p/>
+	 * After calling the doFinal() method, the key will remain to be used for
+	 * further computations of this instance. The key can be overwritten using
+	 * the clearKey() method.
+	 *
+	 * @param key a key up to 32 bytes or null
+	 */
+	public Blake2sDigest(byte[] key) {
+		buffer = new byte[BLOCK_LENGTH_BYTES];
+		if (key != null) {
+			if (key.length > 32) {
+				throw new IllegalArgumentException(
+						"Keys > 32 are not supported");
+			}
+			this.key = new byte[key.length];
+			System.arraycopy(key, 0, this.key, 0, key.length);
+
+			keyLength = key.length;
+			System.arraycopy(key, 0, buffer, 0, key.length);
+			bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+		}
+		digestLength = 32;
+		init();
+	}
+
+	/**
+	 * BLAKE2s with key, required digest length, salt and personalization.
+	 * <p/>
+	 * After calling the doFinal() method, the key, the salt and the personal
+	 * string will remain and might be used for further computations with this
+	 * instance. The key can be overwritten using the clearKey() method, the
+	 * salt (pepper) can be overwritten using the clearSalt() method.
+	 *
+	 * @param key a key up to 32 bytes or null
+	 * @param digestBytes from 1 up to 32 bytes
+	 * @param salt 8 bytes or null
+	 * @param personalization 8 bytes or null
+	 */
+	public Blake2sDigest(byte[] key, int digestBytes, byte[] salt,
+			byte[] personalization) {
+		buffer = new byte[BLOCK_LENGTH_BYTES];
+		if (digestBytes < 1 || digestBytes > 32) {
+			throw new IllegalArgumentException(
+					"Invalid digest length (required: 1 - 32)");
+		}
+		digestLength = digestBytes;
+		if (salt != null) {
+			if (salt.length != 8) {
+				throw new IllegalArgumentException(
+						"Salt length must be exactly 8 bytes");
+			}
+			this.salt = new byte[8];
+			System.arraycopy(salt, 0, this.salt, 0, salt.length);
+		}
+		if (personalization != null) {
+			if (personalization.length != 8) {
+				throw new IllegalArgumentException(
+						"Personalization length must be exactly 8 bytes");
+			}
+			this.personalization = new byte[8];
+			System.arraycopy(personalization, 0, this.personalization, 0,
+					personalization.length);
+		}
+		if (key != null) {
+			if (key.length > 32) {
+				throw new IllegalArgumentException(
+						"Keys > 32 bytes are not supported");
+			}
+			this.key = new byte[key.length];
+			System.arraycopy(key, 0, this.key, 0, key.length);
+
+			keyLength = key.length;
+			System.arraycopy(key, 0, buffer, 0, key.length);
+			bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+		}
+		init();
+	}
+
+	// initialize chainValue
+	private void init() {
+		if (chainValue == null) {
+			chainValue = new int[8];
+
+			chainValue[0] = blake2s_IV[0]
+					^ (digestLength | (keyLength << 8) | 0x1010000);
+			// 0x1010000 = ((fanout << 16) | (depth << 24));
+			// with fanout = 1; depth = 0;
+			chainValue[1] = blake2s_IV[1];// ^ leafLength; with leafLength = 0;
+			chainValue[2] = blake2s_IV[2];// ^ nodeOffset; with nodeOffset = 0;
+			chainValue[3] = blake2s_IV[3];// ^ ( (nodeOffset << 32) |
+			// (nodeDepth << 16) | (innerHashLength << 24) );
+			// with nodeDepth = 0; innerHashLength = 0;
+
+			chainValue[4] = blake2s_IV[4];
+			chainValue[5] = blake2s_IV[5];
+			if (salt != null) {
+				chainValue[4] ^= (bytes2int(salt, 0));
+				chainValue[5] ^= (bytes2int(salt, 4));
+			}
+
+			chainValue[6] = blake2s_IV[6];
+			chainValue[7] = blake2s_IV[7];
+			if (personalization != null) {
+				chainValue[6] ^= (bytes2int(personalization, 0));
+				chainValue[7] ^= (bytes2int(personalization, 4));
+			}
+		}
+	}
+
+	private void initializeInternalState() {
+		// initialize v:
+		System.arraycopy(chainValue, 0, internalState, 0, chainValue.length);
+		System.arraycopy(blake2s_IV, 0, internalState, chainValue.length, 4);
+		internalState[12] = t0 ^ blake2s_IV[4];
+		internalState[13] = t1 ^ blake2s_IV[5];
+		internalState[14] = f0 ^ blake2s_IV[6];
+		internalState[15] = blake2s_IV[7];// ^ f1 with f1 = 0
+	}
+
+	/**
+	 * Update the message digest with a single byte.
+	 *
+	 * @param b the input byte to be entered.
+	 */
+	public void update(byte b) {
+		int remainingLength; // left bytes of buffer
+
+		// process the buffer if full else add to buffer:
+		remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+		if (remainingLength == 0) { // full buffer
+			t0 += BLOCK_LENGTH_BYTES;
+			if (t0 == 0) { // if message > 2^32
+				t1++;
+			}
+			compress(buffer, 0);
+			Arrays.fill(buffer, (byte)0);// clear buffer
+			buffer[0] = b;
+			bufferPos = 1;
+		} else {
+			buffer[bufferPos] = b;
+			bufferPos++;
+		}
+	}
+
+	/**
+	 * Update the message digest with a block of bytes.
+	 *
+	 * @param message the byte array containing the data.
+	 * @param offset the offset into the byte array where the data starts.
+	 * @param len the length of the data.
+	 */
+	public void update(byte[] message, int offset, int len) {
+		if (message == null || len == 0)
+			return;
+
+		int remainingLength = 0; // left bytes of buffer
+
+		if (bufferPos != 0) { // commenced, incomplete buffer
+
+			// complete the buffer:
+			remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+			if (remainingLength < len) { // full buffer + at least 1 byte
+				System.arraycopy(message, offset, buffer, bufferPos,
+						remainingLength);
+				t0 += BLOCK_LENGTH_BYTES;
+				if (t0 == 0) { // if message > 2^32
+					t1++;
+				}
+				compress(buffer, 0);
+				bufferPos = 0;
+				Arrays.fill(buffer, (byte) 0);// clear buffer
+			} else {
+				System.arraycopy(message, offset, buffer, bufferPos, len);
+				bufferPos += len;
+				return;
+			}
+		}
+
+		// process blocks except last block (also if last block is full)
+		int messagePos;
+		int blockWiseLastPos = offset + len - BLOCK_LENGTH_BYTES;
+		for (messagePos = offset + remainingLength;
+				messagePos < blockWiseLastPos;
+				messagePos += BLOCK_LENGTH_BYTES) { // block wise 64 bytes
+			// without buffer:
+			t0 += BLOCK_LENGTH_BYTES;
+			if (t0 == 0) {
+				t1++;
+			}
+			compress(message, messagePos);
+		}
+
+		// fill the buffer with left bytes, this might be a full block
+		System.arraycopy(message, messagePos, buffer, 0, offset + len
+				- messagePos);
+		bufferPos += offset + len - messagePos;
+	}
+
+	/**
+	 * Close the digest, producing the final digest value. The doFinal() call
+	 * leaves the digest reset. Key, salt and personal string remain.
+	 *
+	 * @param out the array the digest is to be copied into.
+	 * @param outOffset the offset into the out array the digest is to start at.
+	 */
+	public int doFinal(byte[] out, int outOffset) {
+		f0 = 0xFFFFFFFF;
+		t0 += bufferPos;
+		// bufferPos may be < 64, so (t0 == 0) does not work
+		// for 2^32 < message length > 2^32 - 63
+		if ((t0 < 0) && (bufferPos > -t0)) {
+			t1++;
+		}
+		compress(buffer, 0);
+		Arrays.fill(buffer, (byte) 0);// Holds eventually the key if input is null
+		Arrays.fill(internalState, 0);
+
+		for (int i = 0; i < chainValue.length && (i * 4 < digestLength); i++) {
+			byte[] bytes = int2bytes(chainValue[i]);
+
+			if (i * 4 < digestLength - 4) {
+				System.arraycopy(bytes, 0, out, outOffset + i * 4, 4);
+			} else {
+				System.arraycopy(bytes, 0, out, outOffset + i * 4,
+						digestLength - (i * 4));
+			}
+		}
+
+		Arrays.fill(chainValue, 0);
+
+		reset();
+
+		return digestLength;
+	}
+
+	/**
+	 * Reset the digest back to its initial state. The key, the salt and the
+	 * personal string will remain for further computations.
+	 */
+	public void reset() {
+		bufferPos = 0;
+		f0 = 0;
+		t0 = 0;
+		t1 = 0;
+		chainValue = null;
+		if (key != null) {
+			Arrays.fill(buffer, (byte) 0);
+			System.arraycopy(key, 0, buffer, 0, key.length);
+			bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+		}
+		init();
+	}
+
+	private void compress(byte[] message, int messagePos) {
+		initializeInternalState();
+
+		int[] m = new int[16];
+		for (int j = 0; j < 16; j++) {
+			m[j] = bytes2int(message, messagePos + j * 4);
+		}
+
+		for (int round = 0; round < ROUNDS; round++) {
+
+			// G apply to columns of internalState:m[blake2s_sigma[round][2 *
+			// blockPos]] /+1
+			G(m[blake2s_sigma[round][0]], m[blake2s_sigma[round][1]], 0, 4, 8,
+					12);
+			G(m[blake2s_sigma[round][2]], m[blake2s_sigma[round][3]], 1, 5, 9,
+					13);
+			G(m[blake2s_sigma[round][4]], m[blake2s_sigma[round][5]], 2, 6, 10,
+					14);
+			G(m[blake2s_sigma[round][6]], m[blake2s_sigma[round][7]], 3, 7, 11,
+					15);
+			// G apply to diagonals of internalState:
+			G(m[blake2s_sigma[round][8]], m[blake2s_sigma[round][9]], 0, 5, 10,
+					15);
+			G(m[blake2s_sigma[round][10]], m[blake2s_sigma[round][11]], 1, 6,
+					11, 12);
+			G(m[blake2s_sigma[round][12]], m[blake2s_sigma[round][13]], 2, 7,
+					8, 13);
+			G(m[blake2s_sigma[round][14]], m[blake2s_sigma[round][15]], 3, 4,
+					9, 14);
+		}
+
+		// update chain values:
+		for (int offset = 0; offset < chainValue.length; offset++) {
+			chainValue[offset] = chainValue[offset] ^ internalState[offset]
+					^ internalState[offset + 8];
+		}
+	}
+
+	private void G(int m1, int m2, int posA, int posB, int posC, int posD) {
+		internalState[posA] = internalState[posA] + internalState[posB] + m1;
+		internalState[posD] = rotr32(internalState[posD] ^ internalState[posA],
+				16);
+		internalState[posC] = internalState[posC] + internalState[posD];
+		internalState[posB] = rotr32(internalState[posB] ^ internalState[posC],
+				12);
+		internalState[posA] = internalState[posA] + internalState[posB] + m2;
+		internalState[posD] = rotr32(internalState[posD] ^ internalState[posA],
+				8);
+		internalState[posC] = internalState[posC] + internalState[posD];
+		internalState[posB] = rotr32(internalState[posB] ^ internalState[posC],
+				7);
+	}
+
+	private int rotr32(int x, int rot) {
+		return x >>> rot | (x << (32 - rot));
+	}
+
+	// convert one int value in byte array
+	// little-endian byte order!
+	private byte[] int2bytes(int intValue) {
+		return new byte[] {
+				(byte) intValue, (byte) (intValue >> 8),
+				(byte) (intValue >> 16), (byte) (intValue >> 24)
+		};
+	}
+
+	// little-endian byte order!
+	private int bytes2int(byte[] byteArray, int offset) {
+		return (((int) byteArray[offset] & 0xFF)
+				| (((int) byteArray[offset + 1] & 0xFF) << 8)
+				| (((int) byteArray[offset + 2] & 0xFF) << 16)
+				| (((int) byteArray[offset + 3] & 0xFF) << 24));
+	}
+
+	/**
+	 * Return the algorithm name.
+	 *
+	 * @return the algorithm name
+	 */
+	public String getAlgorithmName() {
+		return "BLAKE2s";
+	}
+
+	/**
+	 * Return the size in bytes of the digest produced by this message digest.
+	 *
+	 * @return the size in bytes of the digest produced by this message digest.
+	 */
+	public int getDigestSize() {
+		return digestLength;
+	}
+
+	/**
+	 * Return the size in bytes of the internal buffer the digest applies its
+	 * compression function to.
+	 *
+	 * @return byte length of the digest's internal buffer.
+	 */
+	public int getByteLength() {
+		return BLOCK_LENGTH_BYTES;
+	}
+
+	/**
+	 * Overwrite the key if it is no longer used (zeroization).
+	 */
+	public void clearKey() {
+		if (key != null) {
+			Arrays.fill(key, (byte) 0);
+			Arrays.fill(buffer,  (byte) 0);
+		}
+	}
+
+	/**
+	 * Overwrite the salt (pepper) if it is secret and no longer used
+	 * (zeroization).
+	 */
+	public void clearSalt() {
+		if (salt != null) {
+			Arrays.fill(salt, (byte) 0);
+		}
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java

@@ -1,59 +1,107 @@
 package org.briarproject.bramble.crypto;
 
-import net.i2p.crypto.eddsa.EdDSAPrivateKey;
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.KeyPairGenerator;
-
 import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.KeyPair;
 import org.briarproject.bramble.api.crypto.KeyParser;
 import org.briarproject.bramble.api.crypto.PrivateKey;
 import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.api.crypto.SecretKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.plugin.TransportId;
 import org.briarproject.bramble.api.system.SecureRandomProvider;
+import org.briarproject.bramble.api.transport.IncomingKeys;
+import org.briarproject.bramble.api.transport.OutgoingKeys;
+import org.briarproject.bramble.api.transport.TransportKeys;
 import org.briarproject.bramble.util.ByteUtils;
 import org.briarproject.bramble.util.StringUtils;
+import org.spongycastle.crypto.AsymmetricCipherKeyPair;
+import org.spongycastle.crypto.CipherParameters;
 import org.spongycastle.crypto.CryptoException;
 import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.digests.Blake2bDigest;
-import org.whispersystems.curve25519.Curve25519;
-import org.whispersystems.curve25519.Curve25519KeyPair;
+import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
+import org.spongycastle.crypto.digests.SHA256Digest;
+import org.spongycastle.crypto.generators.ECKeyPairGenerator;
+import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
+import org.spongycastle.crypto.params.ECKeyGenerationParameters;
+import org.spongycastle.crypto.params.ECPrivateKeyParameters;
+import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.spongycastle.crypto.params.KeyParameter;
 
+import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
 import java.security.SecureRandom;
 import java.security.Security;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.logging.Logger;
 
-import javax.annotation.Nullable;
 import javax.inject.Inject;
 
 import static java.util.logging.Level.INFO;
+import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.COMMIT_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENGTH;
+import static org.briarproject.bramble.crypto.EllipticCurveConstants.PARAMETERS;
+import static org.briarproject.bramble.util.ByteUtils.INT_16_BYTES;
 import static org.briarproject.bramble.util.ByteUtils.INT_32_BYTES;
+import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
+import static org.briarproject.bramble.util.ByteUtils.MAX_16_BIT_UNSIGNED;
+import static org.briarproject.bramble.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
-@NotNullByDefault
 class CryptoComponentImpl implements CryptoComponent {
 
 	private static final Logger LOG =
 			Logger.getLogger(CryptoComponentImpl.class.getName());
 
+	private static final int AGREEMENT_KEY_PAIR_BITS = 256;
 	private static final int SIGNATURE_KEY_PAIR_BITS = 256;
 	private static final int STORAGE_IV_BYTES = 24; // 196 bits
 	private static final int PBKDF_SALT_BYTES = 32; // 256 bits
-	private static final int PBKDF_FORMAT_SCRYPT = 0;
+	private static final int PBKDF_TARGET_MILLIS = 500;
+	private static final int PBKDF_SAMPLES = 30;
+	private static final int HASH_SIZE = 256 / 8;
+
+	private static byte[] ascii(String s) {
+		return s.getBytes(Charset.forName("US-ASCII"));
+	}
+
+	// KDF labels for contact exchange stream header key derivation
+	private static final byte[] A_INVITE = ascii("ALICE_INVITATION_KEY");
+	private static final byte[] B_INVITE = ascii("BOB_INVITATION_KEY");
+	// KDF labels for contact exchange signature nonce derivation
+	private static final byte[] A_SIG_NONCE = ascii("ALICE_SIGNATURE_NONCE");
+	private static final byte[] B_SIG_NONCE = ascii("BOB_SIGNATURE_NONCE");
+	// Hash label for BQP public key commitment derivation
+	private static final String COMMIT =
+			"org.briarproject.bramble.COMMIT";
+	// Hash label for shared secret derivation
+	private static final String SHARED_SECRET =
+			"org.briarproject.bramble.SHARED_SECRET";
+	// KDF label for BQP confirmation key derivation
+	private static final byte[] CONFIRMATION_KEY = ascii("CONFIRMATION_KEY");
+	// KDF label for master key derivation
+	private static final byte[] MASTER_KEY = ascii("MASTER_KEY");
+	// KDF labels for tag key derivation
+	private static final byte[] A_TAG = ascii("ALICE_TAG_KEY");
+	private static final byte[] B_TAG = ascii("BOB_TAG_KEY");
+	// KDF labels for header key derivation
+	private static final byte[] A_HEADER = ascii("ALICE_HEADER_KEY");
+	private static final byte[] B_HEADER = ascii("BOB_HEADER_KEY");
+	// KDF labels for MAC key derivation
+	private static final byte[] A_MAC = ascii("ALICE_MAC_KEY");
+	private static final byte[] B_MAC = ascii("BOB_MAC_KEY");
+	// KDF label for key rotation
+	private static final byte[] ROTATE = ascii("ROTATE");
 
 	private final SecureRandom secureRandom;
-	private final PasswordBasedKdf passwordBasedKdf;
-	private final Curve25519 curve25519;
-	private final KeyPairGenerator signatureKeyPairGenerator;
+	private final ECKeyPairGenerator agreementKeyPairGenerator;
+	private final ECKeyPairGenerator signatureKeyPairGenerator;
 	private final KeyParser agreementKeyParser, signatureKeyParser;
 	private final MessageEncrypter messageEncrypter;
 
 	@Inject
-	CryptoComponentImpl(SecureRandomProvider secureRandomProvider,
-			PasswordBasedKdf passwordBasedKdf) {
+	CryptoComponentImpl(SecureRandomProvider secureRandomProvider) {
 		if (LOG.isLoggable(INFO)) {
 			SecureRandom defaultSecureRandom = new SecureRandom();
 			String name = defaultSecureRandom.getProvider().getName();
@@ -73,13 +121,16 @@ class CryptoComponentImpl implements CryptoComponent {
 			}
 		}
 		secureRandom = new SecureRandom();
-		this.passwordBasedKdf = passwordBasedKdf;
-		curve25519 = Curve25519.getInstance("java");
-		signatureKeyPairGenerator = new KeyPairGenerator();
-		signatureKeyPairGenerator.initialize(SIGNATURE_KEY_PAIR_BITS,
-				secureRandom);
-		agreementKeyParser = new Curve25519KeyParser();
-		signatureKeyParser = new EdKeyParser();
+		ECKeyGenerationParameters params = new ECKeyGenerationParameters(
+				PARAMETERS, secureRandom);
+		agreementKeyPairGenerator = new ECKeyPairGenerator();
+		agreementKeyPairGenerator.init(params);
+		signatureKeyPairGenerator = new ECKeyPairGenerator();
+		signatureKeyPairGenerator.init(params);
+		agreementKeyParser = new Sec1KeyParser(PARAMETERS,
+				AGREEMENT_KEY_PAIR_BITS);
+		signatureKeyParser = new Sec1KeyParser(PARAMETERS,
+				SIGNATURE_KEY_PAIR_BITS);
 		messageEncrypter = new MessageEncrypter(secureRandom);
 	}
 
@@ -123,17 +174,16 @@ class CryptoComponentImpl implements CryptoComponent {
 	// Package access for testing
 	byte[] performRawKeyAgreement(PrivateKey priv, PublicKey pub)
 			throws GeneralSecurityException {
-		if (!(priv instanceof Curve25519PrivateKey))
+		if (!(priv instanceof Sec1PrivateKey))
 			throw new IllegalArgumentException();
-		if (!(pub instanceof Curve25519PublicKey))
+		if (!(pub instanceof Sec1PublicKey))
 			throw new IllegalArgumentException();
+		ECPrivateKeyParameters ecPriv = ((Sec1PrivateKey) priv).getKey();
+		ECPublicKeyParameters ecPub = ((Sec1PublicKey) pub).getKey();
 		long now = System.currentTimeMillis();
-		byte[] secret = curve25519.calculateAgreement(pub.getEncoded(),
-				priv.getEncoded());
-		// If the shared secret is all zeroes, the public key is invalid
-		byte allZero = 0;
-		for (byte b : secret) allZero |= b;
-		if (allZero == 0) throw new GeneralSecurityException();
+		ECDHCBasicAgreement agreement = new ECDHCBasicAgreement();
+		agreement.init(ecPriv);
+		byte[] secret = agreement.calculateAgreement(ecPub).toByteArray();
 		long duration = System.currentTimeMillis() - now;
 		if (LOG.isLoggable(INFO))
 			LOG.info("Deriving shared secret took " + duration + " ms");
@@ -142,10 +192,18 @@ class CryptoComponentImpl implements CryptoComponent {
 
 	@Override
 	public KeyPair generateAgreementKeyPair() {
-		Curve25519KeyPair keyPair = curve25519.generateKeyPair();
-		PublicKey pub = new Curve25519PublicKey(keyPair.getPublicKey());
-		PrivateKey priv = new Curve25519PrivateKey(keyPair.getPrivateKey());
-		return new KeyPair(pub, priv);
+		AsymmetricCipherKeyPair keyPair =
+				agreementKeyPairGenerator.generateKeyPair();
+		// Return a wrapper that uses the SEC 1 encoding
+		ECPublicKeyParameters ecPublicKey =
+				(ECPublicKeyParameters) keyPair.getPublic();
+		PublicKey publicKey = new Sec1PublicKey(ecPublicKey
+		);
+		ECPrivateKeyParameters ecPrivateKey =
+				(ECPrivateKeyParameters) keyPair.getPrivate();
+		PrivateKey privateKey = new Sec1PrivateKey(ecPrivateKey,
+				AGREEMENT_KEY_PAIR_BITS);
+		return new KeyPair(publicKey, privateKey);
 	}
 
 	@Override
@@ -155,12 +213,17 @@ class CryptoComponentImpl implements CryptoComponent {
 
 	@Override
 	public KeyPair generateSignatureKeyPair() {
-		java.security.KeyPair keyPair =
+		AsymmetricCipherKeyPair keyPair =
 				signatureKeyPairGenerator.generateKeyPair();
-		EdDSAPublicKey edPublicKey = (EdDSAPublicKey) keyPair.getPublic();
-		PublicKey publicKey = new EdPublicKey(edPublicKey.getAbyte());
-		EdDSAPrivateKey edPrivateKey = (EdDSAPrivateKey) keyPair.getPrivate();
-		PrivateKey privateKey = new EdPrivateKey(edPrivateKey.getSeed());
+		// Return a wrapper that uses the SEC 1 encoding
+		ECPublicKeyParameters ecPublicKey =
+				(ECPublicKeyParameters) keyPair.getPublic();
+		PublicKey publicKey = new Sec1PublicKey(ecPublicKey
+		);
+		ECPrivateKeyParameters ecPrivateKey =
+				(ECPrivateKeyParameters) keyPair.getPrivate();
+		PrivateKey privateKey = new Sec1PrivateKey(ecPrivateKey,
+				SIGNATURE_KEY_PAIR_BITS);
 		return new KeyPair(publicKey, privateKey);
 	}
 
@@ -175,47 +238,205 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	@Override
-	public SecretKey deriveKey(String label, SecretKey k, byte[]... inputs) {
-		byte[] mac = mac(label, k, inputs);
-		if (mac.length != SecretKey.LENGTH) throw new IllegalStateException();
-		return new SecretKey(mac);
+	public SecretKey deriveHeaderKey(SecretKey master,
+			boolean alice) {
+		return new SecretKey(macKdf(master, alice ? A_INVITE : B_INVITE));
 	}
 
 	@Override
-	public SecretKey deriveSharedSecret(String label, PublicKey theirPublicKey,
-			KeyPair ourKeyPair, byte[]... inputs)
-			throws GeneralSecurityException {
+	public SecretKey deriveMacKey(SecretKey master, boolean alice) {
+		return new SecretKey(macKdf(master, alice ? A_MAC : B_MAC));
+	}
+
+	@Override
+	public byte[] deriveSignatureNonce(SecretKey master,
+			boolean alice) {
+		return macKdf(master, alice ? A_SIG_NONCE : B_SIG_NONCE);
+	}
+
+	@Override
+	public byte[] deriveKeyCommitment(byte[] publicKey) {
+		byte[] hash = hash(COMMIT, publicKey);
+		// The output is the first COMMIT_LENGTH bytes of the hash
+		byte[] commitment = new byte[COMMIT_LENGTH];
+		System.arraycopy(hash, 0, commitment, 0, COMMIT_LENGTH);
+		return commitment;
+	}
+
+	@Override
+	public SecretKey deriveSharedSecret(byte[] theirPublicKey,
+			KeyPair ourKeyPair, boolean alice) throws GeneralSecurityException {
 		PrivateKey ourPriv = ourKeyPair.getPrivate();
-		byte[][] hashInputs = new byte[inputs.length + 1][];
-		hashInputs[0] = performRawKeyAgreement(ourPriv, theirPublicKey);
-		System.arraycopy(inputs, 0, hashInputs, 1, inputs.length);
-		byte[] hash = hash(label, hashInputs);
-		if (hash.length != SecretKey.LENGTH) throw new IllegalStateException();
-		return new SecretKey(hash);
+		PublicKey theirPub = agreementKeyParser.parsePublicKey(theirPublicKey);
+		byte[] raw = performRawKeyAgreement(ourPriv, theirPub);
+		byte[] alicePub, bobPub;
+		if (alice) {
+			alicePub = ourKeyPair.getPublic().getEncoded();
+			bobPub = theirPublicKey;
+		} else {
+			alicePub = theirPublicKey;
+			bobPub = ourKeyPair.getPublic().getEncoded();
+		}
+		return new SecretKey(hash(SHARED_SECRET, raw, alicePub, bobPub));
+	}
+
+	@Override
+	public byte[] deriveConfirmationRecord(SecretKey sharedSecret,
+			byte[] theirPayload, byte[] ourPayload, byte[] theirPublicKey,
+			KeyPair ourKeyPair, boolean alice, boolean aliceRecord) {
+		SecretKey ck = new SecretKey(macKdf(sharedSecret, CONFIRMATION_KEY));
+		byte[] alicePayload, alicePub, bobPayload, bobPub;
+		if (alice) {
+			alicePayload = ourPayload;
+			alicePub = ourKeyPair.getPublic().getEncoded();
+			bobPayload = theirPayload;
+			bobPub = theirPublicKey;
+		} else {
+			alicePayload = theirPayload;
+			alicePub = theirPublicKey;
+			bobPayload = ourPayload;
+			bobPub = ourKeyPair.getPublic().getEncoded();
+		}
+		if (aliceRecord)
+			return macKdf(ck, alicePayload, alicePub, bobPayload, bobPub);
+		else
+			return macKdf(ck, bobPayload, bobPub, alicePayload, alicePub);
+	}
+
+	@Override
+	public SecretKey deriveMasterSecret(SecretKey sharedSecret) {
+		return new SecretKey(macKdf(sharedSecret, MASTER_KEY));
+	}
+
+	@Override
+	public SecretKey deriveMasterSecret(byte[] theirPublicKey,
+			KeyPair ourKeyPair, boolean alice) throws GeneralSecurityException {
+		return deriveMasterSecret(deriveSharedSecret(
+				theirPublicKey, ourKeyPair, alice));
+	}
+
+	@Override
+	public TransportKeys deriveTransportKeys(TransportId t,
+			SecretKey master, long rotationPeriod, boolean alice) {
+		// Keys for the previous period are derived from the master secret
+		SecretKey inTagPrev = deriveTagKey(master, t, !alice);
+		SecretKey inHeaderPrev = deriveHeaderKey(master, t, !alice);
+		SecretKey outTagPrev = deriveTagKey(master, t, alice);
+		SecretKey outHeaderPrev = deriveHeaderKey(master, t, alice);
+		// Derive the keys for the current and next periods
+		SecretKey inTagCurr = rotateKey(inTagPrev, rotationPeriod);
+		SecretKey inHeaderCurr = rotateKey(inHeaderPrev, rotationPeriod);
+		SecretKey inTagNext = rotateKey(inTagCurr, rotationPeriod + 1);
+		SecretKey inHeaderNext = rotateKey(inHeaderCurr, rotationPeriod + 1);
+		SecretKey outTagCurr = rotateKey(outTagPrev, rotationPeriod);
+		SecretKey outHeaderCurr = rotateKey(outHeaderPrev, rotationPeriod);
+		// Initialise the reordering windows and stream counters
+		IncomingKeys inPrev = new IncomingKeys(inTagPrev, inHeaderPrev,
+				rotationPeriod - 1);
+		IncomingKeys inCurr = new IncomingKeys(inTagCurr, inHeaderCurr,
+				rotationPeriod);
+		IncomingKeys inNext = new IncomingKeys(inTagNext, inHeaderNext,
+				rotationPeriod + 1);
+		OutgoingKeys outCurr = new OutgoingKeys(outTagCurr, outHeaderCurr,
+				rotationPeriod);
+		// Collect and return the keys
+		return new TransportKeys(t, inPrev, inCurr, inNext, outCurr);
+	}
+
+	@Override
+	public TransportKeys rotateTransportKeys(TransportKeys k,
+			long rotationPeriod) {
+		if (k.getRotationPeriod() >= rotationPeriod) return k;
+		IncomingKeys inPrev = k.getPreviousIncomingKeys();
+		IncomingKeys inCurr = k.getCurrentIncomingKeys();
+		IncomingKeys inNext = k.getNextIncomingKeys();
+		OutgoingKeys outCurr = k.getCurrentOutgoingKeys();
+		long startPeriod = outCurr.getRotationPeriod();
+		// Rotate the keys
+		for (long p = startPeriod + 1; p <= rotationPeriod; p++) {
+			inPrev = inCurr;
+			inCurr = inNext;
+			SecretKey inNextTag = rotateKey(inNext.getTagKey(), p + 1);
+			SecretKey inNextHeader = rotateKey(inNext.getHeaderKey(), p + 1);
+			inNext = new IncomingKeys(inNextTag, inNextHeader, p + 1);
+			SecretKey outCurrTag = rotateKey(outCurr.getTagKey(), p);
+			SecretKey outCurrHeader = rotateKey(outCurr.getHeaderKey(), p);
+			outCurr = new OutgoingKeys(outCurrTag, outCurrHeader, p);
+		}
+		// Collect and return the keys
+		return new TransportKeys(k.getTransportId(), inPrev, inCurr, inNext,
+				outCurr);
+	}
+
+	private SecretKey rotateKey(SecretKey k, long rotationPeriod) {
+		byte[] period = new byte[INT_64_BYTES];
+		ByteUtils.writeUint64(rotationPeriod, period, 0);
+		return new SecretKey(macKdf(k, ROTATE, period));
+	}
+
+	private SecretKey deriveTagKey(SecretKey master, TransportId t,
+			boolean alice) {
+		byte[] id = StringUtils.toUtf8(t.getString());
+		return new SecretKey(macKdf(master, alice ? A_TAG : B_TAG, id));
+	}
+
+	private SecretKey deriveHeaderKey(SecretKey master, TransportId t,
+			boolean alice) {
+		byte[] id = StringUtils.toUtf8(t.getString());
+		return new SecretKey(macKdf(master, alice ? A_HEADER : B_HEADER, id));
+	}
+
+	@Override
+	public void encodeTag(byte[] tag, SecretKey tagKey, int protocolVersion,
+			long streamNumber) {
+		if (tag.length < TAG_LENGTH) throw new IllegalArgumentException();
+		if (protocolVersion < 0 || protocolVersion > MAX_16_BIT_UNSIGNED)
+			throw new IllegalArgumentException();
+		if (streamNumber < 0 || streamNumber > MAX_32_BIT_UNSIGNED)
+			throw new IllegalArgumentException();
+		// Initialise the PRF
+		Digest prf = new Blake2sDigest(tagKey.getBytes());
+		// The output of the PRF must be long enough to use as a tag
+		int macLength = prf.getDigestSize();
+		if (macLength < TAG_LENGTH) throw new IllegalStateException();
+		// The input is the protocol version as a 16-bit integer, followed by
+		// the stream number as a 64-bit integer
+		byte[] protocolVersionBytes = new byte[INT_16_BYTES];
+		ByteUtils.writeUint16(protocolVersion, protocolVersionBytes, 0);
+		prf.update(protocolVersionBytes, 0, protocolVersionBytes.length);
+		byte[] streamNumberBytes = new byte[INT_64_BYTES];
+		ByteUtils.writeUint64(streamNumber, streamNumberBytes, 0);
+		prf.update(streamNumberBytes, 0, streamNumberBytes.length);
+		byte[] mac = new byte[macLength];
+		prf.doFinal(mac, 0);
+		// The output is the first TAG_LENGTH bytes of the MAC
+		System.arraycopy(mac, 0, tag, 0, TAG_LENGTH);
 	}
 
 	@Override
 	public byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException {
-		PrivateKey key = signatureKeyParser.parsePrivateKey(privateKey);
-		Signature sig = new EdSignature();
-		sig.initSign(key);
-		updateSignature(sig, label, toSign);
-		return sig.sign();
+		Signature signature = new SignatureImpl(secureRandom);
+		KeyParser keyParser = getSignatureKeyParser();
+		PrivateKey key = keyParser.parsePrivateKey(privateKey);
+		signature.initSign(key);
+		updateSignature(signature, label, toSign);
+		return signature.sign();
 	}
 
 	@Override
-	public boolean verifySignature(byte[] signature, String label,
-			byte[] signed, byte[] publicKey) throws GeneralSecurityException {
-		PublicKey key = signatureKeyParser.parsePublicKey(publicKey);
-		Signature sig = new EdSignature();
+	public boolean verify(String label, byte[] signedData, byte[] publicKey,
+			byte[] signature) throws GeneralSecurityException {
+		Signature sig = new SignatureImpl(secureRandom);
+		KeyParser keyParser = getSignatureKeyParser();
+		PublicKey key = keyParser.parsePublicKey(publicKey);
 		sig.initVerify(key);
-		updateSignature(sig, label, signed);
+		updateSignature(sig, label, signedData);
 		return sig.verify(signature);
 	}
 
 	private void updateSignature(Signature signature, String label,
-			byte[] toSign) throws GeneralSecurityException {
+			byte[] toSign) {
 		byte[] labelBytes = StringUtils.toUtf8(label);
 		byte[] length = new byte[INT_32_BYTES];
 		ByteUtils.writeUint32(labelBytes.length, length, 0);
@@ -229,7 +450,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	@Override
 	public byte[] hash(String label, byte[]... inputs) {
 		byte[] labelBytes = StringUtils.toUtf8(label);
-		Digest digest = new Blake2bDigest(256);
+		Digest digest = new Blake2sDigest();
 		byte[] length = new byte[INT_32_BYTES];
 		ByteUtils.writeUint32(labelBytes.length, length, 0);
 		digest.update(length, 0, length.length);
@@ -245,13 +466,14 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	@Override
-	public byte[] mac(String label, SecretKey macKey, byte[]... inputs) {
-		byte[] labelBytes = StringUtils.toUtf8(label);
-		Digest mac = new Blake2bDigest(macKey.getBytes(), 32, null, null);
+	public int getHashLength() {
+		return HASH_SIZE;
+	}
+
+	@Override
+	public byte[] mac(SecretKey macKey, byte[]... inputs) {
+		Digest mac = new Blake2sDigest(macKey.getBytes());
 		byte[] length = new byte[INT_32_BYTES];
-		ByteUtils.writeUint32(labelBytes.length, length, 0);
-		mac.update(length, 0, length.length);
-		mac.update(labelBytes, 0, labelBytes.length);
 		for (byte[] input : inputs) {
 			ByteUtils.writeUint32(input.length, length, 0);
 			mac.update(length, 0, length.length);
@@ -262,17 +484,6 @@ class CryptoComponentImpl implements CryptoComponent {
 		return output;
 	}
 
-	@Override
-	public boolean verifyMac(byte[] mac, String label, SecretKey macKey,
-			byte[]... inputs) {
-		byte[] expected = mac(label, macKey, inputs);
-		if (mac.length != expected.length) return false;
-		// Constant-time comparison
-		int cmp = 0;
-		for (int i = 0; i < mac.length; i++) cmp |= mac[i] ^ expected[i];
-		return cmp == 0;
-	}
-
 	@Override
 	public byte[] encryptWithPassword(byte[] input, String password) {
 		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
@@ -281,33 +492,23 @@ class CryptoComponentImpl implements CryptoComponent {
 		byte[] salt = new byte[PBKDF_SALT_BYTES];
 		secureRandom.nextBytes(salt);
 		// Calibrate the KDF
-		int cost = passwordBasedKdf.chooseCostParameter();
+		int iterations = chooseIterationCount(PBKDF_TARGET_MILLIS);
 		// Derive the key from the password
-		SecretKey key = passwordBasedKdf.deriveKey(password, salt, cost);
+		SecretKey key = new SecretKey(pbkdf2(password, salt, iterations));
 		// Generate a random IV
 		byte[] iv = new byte[STORAGE_IV_BYTES];
 		secureRandom.nextBytes(iv);
-		// The output contains the format version, salt, cost parameter, IV,
-		// ciphertext and MAC
-		int outputLen = 1 + salt.length + INT_32_BYTES + iv.length
-				+ input.length + macBytes;
+		// The output contains the salt, iterations, IV, ciphertext and MAC
+		int outputLen = salt.length + INT_32_BYTES + iv.length + input.length
+				+ macBytes;
 		byte[] output = new byte[outputLen];
-		int outputOff = 0;
-		// Format version
-		output[outputOff] = PBKDF_FORMAT_SCRYPT;
-		outputOff++;
-		// Salt
-		System.arraycopy(salt, 0, output, outputOff, salt.length);
-		outputOff += salt.length;
-		// Cost parameter
-		ByteUtils.writeUint32(cost, output, outputOff);
-		outputOff += INT_32_BYTES;
-		// IV
-		System.arraycopy(iv, 0, output, outputOff, iv.length);
-		outputOff += iv.length;
+		System.arraycopy(salt, 0, output, 0, salt.length);
+		ByteUtils.writeUint32(iterations, output, salt.length);
+		System.arraycopy(iv, 0, output, salt.length + INT_32_BYTES, iv.length);
 		// Initialise the cipher and encrypt the plaintext
 		try {
 			cipher.init(true, key, iv);
+			int outputOff = salt.length + INT_32_BYTES + iv.length;
 			cipher.process(input, 0, input.length, output, outputOff);
 			return output;
 		} catch (GeneralSecurityException e) {
@@ -316,36 +517,22 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	@Override
-	@Nullable
 	public byte[] decryptWithPassword(byte[] input, String password) {
 		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		int macBytes = cipher.getMacBytes();
-		// The input contains the format version, salt, cost parameter, IV,
-		// ciphertext and MAC
-		if (input.length < 1 + PBKDF_SALT_BYTES + INT_32_BYTES
-				+ STORAGE_IV_BYTES + macBytes)
+		// The input contains the salt, iterations, IV, ciphertext and MAC
+		if (input.length < PBKDF_SALT_BYTES + INT_32_BYTES + STORAGE_IV_BYTES
+				+ macBytes)
 			return null; // Invalid input
-		int inputOff = 0;
-		// Format version
-		byte formatVersion = input[inputOff];
-		inputOff++;
-		if (formatVersion != PBKDF_FORMAT_SCRYPT)
-			return null; // Unknown format
-		// Salt
 		byte[] salt = new byte[PBKDF_SALT_BYTES];
-		System.arraycopy(input, inputOff, salt, 0, salt.length);
-		inputOff += salt.length;
-		// Cost parameter
-		long cost = ByteUtils.readUint32(input, inputOff);
-		inputOff += INT_32_BYTES;
-		if (cost < 2 || cost > Integer.MAX_VALUE)
-			return null; // Invalid cost parameter
-		// IV
+		System.arraycopy(input, 0, salt, 0, salt.length);
+		long iterations = ByteUtils.readUint32(input, salt.length);
+		if (iterations < 0 || iterations > Integer.MAX_VALUE)
+			return null; // Invalid iteration count
 		byte[] iv = new byte[STORAGE_IV_BYTES];
-		System.arraycopy(input, inputOff, iv, 0, iv.length);
-		inputOff += iv.length;
+		System.arraycopy(input, salt.length + INT_32_BYTES, iv, 0, iv.length);
 		// Derive the key from the password
-		SecretKey key = passwordBasedKdf.deriveKey(password, salt, (int) cost);
+		SecretKey key = new SecretKey(pbkdf2(password, salt, (int) iterations));
 		// Initialise the cipher
 		try {
 			cipher.init(false, key, iv);
@@ -354,6 +541,7 @@ class CryptoComponentImpl implements CryptoComponent {
 		}
 		// Try to decrypt the ciphertext (may be invalid)
 		try {
+			int inputOff = salt.length + INT_32_BYTES + iv.length;
 			int inputLen = input.length - inputOff;
 			byte[] output = new byte[inputLen - macBytes];
 			cipher.process(input, inputOff, inputLen, output, 0);
@@ -376,4 +564,88 @@ class CryptoComponentImpl implements CryptoComponent {
 	public String asciiArmour(byte[] b, int lineLength) {
 		return AsciiArmour.wrap(b, lineLength);
 	}
+
+	// Key derivation function based on a pseudo-random function - see
+	// NIST SP 800-108, section 5.1
+	private byte[] macKdf(SecretKey key, byte[]... inputs) {
+		// Initialise the PRF
+		Digest prf = new Blake2sDigest(key.getBytes());
+		// The output of the PRF must be long enough to use as a key
+		int macLength = prf.getDigestSize();
+		if (macLength < SecretKey.LENGTH) throw new IllegalStateException();
+		// Calculate the PRF over the concatenated length-prefixed inputs
+		byte[] length = new byte[INT_32_BYTES];
+		for (byte[] input : inputs) {
+			ByteUtils.writeUint32(input.length, length, 0);
+			prf.update(length, 0, length.length);
+			prf.update(input, 0, input.length);
+		}
+		byte[] mac = new byte[macLength];
+		prf.doFinal(mac, 0);
+		// The output is the first SecretKey.LENGTH bytes of the MAC
+		if (mac.length == SecretKey.LENGTH) return mac;
+		byte[] truncated = new byte[SecretKey.LENGTH];
+		System.arraycopy(mac, 0, truncated, 0, truncated.length);
+		return truncated;
+	}
+
+	// Password-based key derivation function - see PKCS#5 v2.1, section 5.2
+	private byte[] pbkdf2(String password, byte[] salt, int iterations) {
+		byte[] utf8 = StringUtils.toUtf8(password);
+		Digest digest = new SHA256Digest();
+		PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
+		gen.init(utf8, salt, iterations);
+		int keyLengthInBits = SecretKey.LENGTH * 8;
+		CipherParameters p = gen.generateDerivedParameters(keyLengthInBits);
+		return ((KeyParameter) p).getKey();
+	}
+
+	// Package access for testing
+	int chooseIterationCount(int targetMillis) {
+		List<Long> quickSamples = new ArrayList<>(PBKDF_SAMPLES);
+		List<Long> slowSamples = new ArrayList<>(PBKDF_SAMPLES);
+		long iterationNanos = 0, initNanos = 0;
+		while (iterationNanos <= 0 || initNanos <= 0) {
+			// Sample the running time with one iteration and two iterations
+			for (int i = 0; i < PBKDF_SAMPLES; i++) {
+				quickSamples.add(sampleRunningTime(1));
+				slowSamples.add(sampleRunningTime(2));
+			}
+			// Calculate the iteration time and the initialisation time
+			long quickMedian = median(quickSamples);
+			long slowMedian = median(slowSamples);
+			iterationNanos = slowMedian - quickMedian;
+			initNanos = quickMedian - iterationNanos;
+			if (LOG.isLoggable(INFO)) {
+				LOG.info("Init: " + initNanos + ", iteration: "
+						+ iterationNanos);
+			}
+		}
+		long targetNanos = targetMillis * 1000L * 1000L;
+		long iterations = (targetNanos - initNanos) / iterationNanos;
+		if (LOG.isLoggable(INFO)) LOG.info("Target iterations: " + iterations);
+		if (iterations < 1) return 1;
+		if (iterations > Integer.MAX_VALUE) return Integer.MAX_VALUE;
+		return (int) iterations;
+	}
+
+	private long sampleRunningTime(int iterations) {
+		byte[] password = {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'};
+		byte[] salt = new byte[PBKDF_SALT_BYTES];
+		int keyLengthInBits = SecretKey.LENGTH * 8;
+		long start = System.nanoTime();
+		Digest digest = new SHA256Digest();
+		PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
+		gen.init(password, salt, iterations);
+		gen.generateDerivedParameters(keyLengthInBits);
+		return System.nanoTime() - start;
+	}
+
+	private long median(List<Long> list) {
+		int size = list.size();
+		if (size == 0) throw new IllegalArgumentException();
+		Collections.sort(list);
+		if (size % 2 == 1) return list.get(size / 2);
+		return list.get(size / 2 - 1) + list.get(size / 2) / 2;
+	}
 }

bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoModule.java

@@ -3,11 +3,9 @@ package org.briarproject.bramble.crypto;
 import org.briarproject.bramble.TimeLoggingExecutor;
 import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.CryptoExecutor;
-import org.briarproject.bramble.api.crypto.KeyAgreementCrypto;
 import org.briarproject.bramble.api.crypto.PasswordStrengthEstimator;
 import org.briarproject.bramble.api.crypto.StreamDecrypterFactory;
 import org.briarproject.bramble.api.crypto.StreamEncrypterFactory;
-import org.briarproject.bramble.api.crypto.TransportCrypto;
 import org.briarproject.bramble.api.lifecycle.LifecycleManager;
 import org.briarproject.bramble.api.system.SecureRandomProvider;
 
@@ -67,9 +65,8 @@ public class CryptoModule {
 	@Provides
 	@Singleton
 	CryptoComponent provideCryptoComponent(
-			SecureRandomProvider secureRandomProvider,
-			ScryptKdf passwordBasedKdf) {
-		return new CryptoComponentImpl(secureRandomProvider, passwordBasedKdf);
+			SecureRandomProvider secureRandomProvider) {
+		return new CryptoComponentImpl(secureRandomProvider);
 	}
 
 	@Provides
@@ -77,12 +74,6 @@ public class CryptoModule {
 		return new PasswordStrengthEstimatorImpl();
 	}
 
-	@Provides
-	TransportCrypto provideTransportCrypto(
-			TransportCryptoImpl transportCrypto) {
-		return transportCrypto;
-	}
-
 	@Provides
 	StreamDecrypterFactory provideStreamDecrypterFactory(
 			Provider<AuthenticatedCipher> cipherProvider) {
@@ -90,17 +81,9 @@ public class CryptoModule {
 	}
 
 	@Provides
-	StreamEncrypterFactory provideStreamEncrypterFactory(
-			CryptoComponent crypto, TransportCrypto transportCrypto,
+	StreamEncrypterFactory provideStreamEncrypterFactory(CryptoComponent crypto,
 			Provider<AuthenticatedCipher> cipherProvider) {
-		return new StreamEncrypterFactoryImpl(crypto, transportCrypto,
-				cipherProvider);
-	}
-
-	@Provides
-	KeyAgreementCrypto provideKeyAgreementCrypto(
-			KeyAgreementCryptoImpl keyAgreementCrypto) {
-		return keyAgreementCrypto;
+		return new StreamEncrypterFactoryImpl(crypto, cipherProvider);
 	}
 
 	@Provides

bramble-core/src/main/java/org/briarproject/bramble/crypto/Curve25519KeyParser.java

@@ -1,35 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.KeyParser;
-import org.briarproject.bramble.api.crypto.PrivateKey;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import java.security.GeneralSecurityException;
-
-@NotNullByDefault
-class Curve25519KeyParser implements KeyParser {
-
-	@Override
-	public PublicKey parsePublicKey(byte[] encodedKey)
-			throws GeneralSecurityException {
-		if (encodedKey.length != 32) throw new GeneralSecurityException();
-		return new Curve25519PublicKey(encodedKey);
-	}
-
-	@Override
-	public PrivateKey parsePrivateKey(byte[] encodedKey)
-			throws GeneralSecurityException {
-		if (encodedKey.length != 32) throw new GeneralSecurityException();
-		return new Curve25519PrivateKey(clamp(encodedKey));
-	}
-
-	static byte[] clamp(byte[] b) {
-		byte[] clamped = new byte[32];
-		System.arraycopy(b, 0, clamped, 0, 32);
-		clamped[0] &= 248;
-		clamped[31] &= 127;
-		clamped[31] |= 64;
-		return clamped;
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/Curve25519PrivateKey.java

@@ -1,18 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.Bytes;
-import org.briarproject.bramble.api.crypto.PrivateKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-@NotNullByDefault
-class Curve25519PrivateKey extends Bytes implements PrivateKey {
-
-	Curve25519PrivateKey(byte[] bytes) {
-		super(bytes);
-	}
-
-	@Override
-	public byte[] getEncoded() {
-		return getBytes();
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/Curve25519PublicKey.java

@@ -1,18 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.Bytes;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-@NotNullByDefault
-class Curve25519PublicKey extends Bytes implements PublicKey {
-
-	Curve25519PublicKey(byte[] bytes) {
-		super(bytes);
-	}
-
-	@Override
-	public byte[] getEncoded() {
-		return getBytes();
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/EdKeyParser.java

@@ -1,26 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.KeyParser;
-import org.briarproject.bramble.api.crypto.PrivateKey;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import java.security.GeneralSecurityException;
-
-@NotNullByDefault
-class EdKeyParser implements KeyParser {
-
-	@Override
-	public PublicKey parsePublicKey(byte[] encodedKey)
-			throws GeneralSecurityException {
-		if (encodedKey.length != 32) throw new GeneralSecurityException();
-		return new EdPublicKey(encodedKey);
-	}
-
-	@Override
-	public PrivateKey parsePrivateKey(byte[] encodedKey)
-			throws GeneralSecurityException {
-		if (encodedKey.length != 32) throw new GeneralSecurityException();
-		return new EdPrivateKey(encodedKey);
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/EdPrivateKey.java

@@ -1,18 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.Bytes;
-import org.briarproject.bramble.api.crypto.PrivateKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-@NotNullByDefault
-class EdPrivateKey extends Bytes implements PrivateKey {
-
-	EdPrivateKey(byte[] bytes) {
-		super(bytes);
-	}
-
-	@Override
-	public byte[] getEncoded() {
-		return getBytes();
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/EdPublicKey.java

@@ -1,18 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.Bytes;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-@NotNullByDefault
-class EdPublicKey extends Bytes implements PublicKey {
-
-	EdPublicKey(byte[] bytes) {
-		super(bytes);
-	}
-
-	@Override
-	public byte[] getEncoded() {
-		return getBytes();
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/EdSignature.java

@@ -1,83 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import net.i2p.crypto.eddsa.EdDSAPrivateKey;
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.EdDSASecurityProvider;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveSpec;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
-import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
-
-import org.briarproject.bramble.api.crypto.PrivateKey;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-
-import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-
-import static net.i2p.crypto.eddsa.EdDSAEngine.SIGNATURE_ALGORITHM;
-
-@NotNullByDefault
-class EdSignature implements Signature {
-
-	private static final Provider PROVIDER = new EdDSASecurityProvider();
-
-	private static final EdDSANamedCurveSpec CURVE_SPEC =
-			EdDSANamedCurveTable.getByName("Ed25519");
-
-	private final java.security.Signature signature;
-
-	EdSignature() {
-		try {
-			signature = java.security.Signature
-					.getInstance(SIGNATURE_ALGORITHM, PROVIDER);
-		} catch (NoSuchAlgorithmException e) {
-			throw new AssertionError(e);
-		}
-	}
-
-	@Override
-	public void initSign(PrivateKey k) throws GeneralSecurityException {
-		if (!(k instanceof EdPrivateKey))
-			throw new IllegalArgumentException();
-		EdDSAPrivateKey privateKey = new EdDSAPrivateKey(
-				new EdDSAPrivateKeySpec(k.getEncoded(), CURVE_SPEC));
-		signature.initSign(privateKey);
-	}
-
-	@Override
-	public void initVerify(PublicKey k) throws GeneralSecurityException {
-		if (!(k instanceof EdPublicKey))
-			throw new IllegalArgumentException();
-		EdDSAPublicKey publicKey = new EdDSAPublicKey(
-				new EdDSAPublicKeySpec(k.getEncoded(), CURVE_SPEC));
-		signature.initVerify(publicKey);
-	}
-
-	@Override
-	public void update(byte b) throws GeneralSecurityException {
-		signature.update(b);
-	}
-
-	@Override
-	public void update(byte[] b) throws GeneralSecurityException {
-		signature.update(b);
-	}
-
-	@Override
-	public void update(byte[] b, int off, int len)
-			throws GeneralSecurityException {
-		signature.update(b, off, len);
-	}
-
-	@Override
-	public byte[] sign() throws GeneralSecurityException {
-		return signature.sign();
-	}
-
-	@Override
-	public boolean verify(byte[] sig) throws GeneralSecurityException {
-		return signature.verify(sig);
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/EllipticCurveConstants.java

@@ -0,0 +1,32 @@
+package org.briarproject.bramble.crypto;
+
+import org.spongycastle.asn1.teletrust.TeleTrusTNamedCurves;
+import org.spongycastle.asn1.x9.X9ECParameters;
+import org.spongycastle.crypto.params.ECDomainParameters;
+import org.spongycastle.math.ec.ECCurve;
+import org.spongycastle.math.ec.ECMultiplier;
+import org.spongycastle.math.ec.ECPoint;
+import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
+
+import java.math.BigInteger;
+
+/**
+ * Parameters for curve brainpoolp256r1 - see RFC 5639.
+ */
+class EllipticCurveConstants {
+
+	static final ECDomainParameters PARAMETERS;
+
+	static {
+		// Start with the default implementation of the curve
+		X9ECParameters x9 = TeleTrusTNamedCurves.getByName("brainpoolp256r1");
+		// Use a constant-time multiplier
+		ECMultiplier monty = new MontgomeryLadderMultiplier();
+		ECCurve curve = x9.getCurve().configure().setMultiplier(monty).create();
+		BigInteger gX = x9.getG().getAffineXCoord().toBigInteger();
+		BigInteger gY = x9.getG().getAffineYCoord().toBigInteger();
+		ECPoint g = curve.createPoint(gX, gY);
+		// Convert to ECDomainParameters using the new multiplier
+		PARAMETERS = new ECDomainParameters(curve, g, x9.getN(), x9.getH());
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/crypto/KeyAgreementCryptoImpl.java

@@ -1,56 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.CryptoComponent;
-import org.briarproject.bramble.api.crypto.KeyAgreementCrypto;
-import org.briarproject.bramble.api.crypto.KeyPair;
-import org.briarproject.bramble.api.crypto.PublicKey;
-import org.briarproject.bramble.api.crypto.SecretKey;
-
-import javax.inject.Inject;
-
-import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.COMMIT_LENGTH;
-
-class KeyAgreementCryptoImpl implements KeyAgreementCrypto {
-
-	private final CryptoComponent crypto;
-
-	@Inject
-	KeyAgreementCryptoImpl(CryptoComponent crypto) {
-		this.crypto = crypto;
-	}
-
-	@Override
-	public byte[] deriveKeyCommitment(PublicKey publicKey) {
-		byte[] hash = crypto.hash(COMMIT_LABEL, publicKey.getEncoded());
-		// The output is the first COMMIT_LENGTH bytes of the hash
-		byte[] commitment = new byte[COMMIT_LENGTH];
-		System.arraycopy(hash, 0, commitment, 0, COMMIT_LENGTH);
-		return commitment;
-	}
-
-	@Override
-	public byte[] deriveConfirmationRecord(SecretKey sharedSecret,
-			byte[] theirPayload, byte[] ourPayload, PublicKey theirPublicKey,
-			KeyPair ourKeyPair, boolean alice, boolean aliceRecord) {
-		SecretKey ck = crypto.deriveKey(CONFIRMATION_KEY_LABEL, sharedSecret);
-		byte[] alicePayload, alicePub, bobPayload, bobPub;
-		if (alice) {
-			alicePayload = ourPayload;
-			alicePub = ourKeyPair.getPublic().getEncoded();
-			bobPayload = theirPayload;
-			bobPub = theirPublicKey.getEncoded();
-		} else {
-			alicePayload = theirPayload;
-			alicePub = theirPublicKey.getEncoded();
-			bobPayload = ourPayload;
-			bobPub = ourKeyPair.getPublic().getEncoded();
-		}
-		if (aliceRecord) {
-			return crypto.mac(CONFIRMATION_MAC_LABEL, ck, alicePayload,
-					alicePub, bobPayload, bobPub);
-		} else {
-			return crypto.mac(CONFIRMATION_MAC_LABEL, ck, bobPayload, bobPub,
-					alicePayload, alicePub);
-		}
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/PasswordBasedKdf.java

@@ -1,10 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.SecretKey;
-
-interface PasswordBasedKdf {
-
-	int chooseCostParameter();
-
-	SecretKey deriveKey(String password, byte[] salt, int cost);
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/ScryptKdf.java

@@ -1,62 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.SecretKey;
-import org.briarproject.bramble.api.system.Clock;
-import org.briarproject.bramble.util.StringUtils;
-import org.spongycastle.crypto.generators.SCrypt;
-
-import java.util.logging.Logger;
-
-import javax.inject.Inject;
-
-import static java.util.logging.Level.INFO;
-
-class ScryptKdf implements PasswordBasedKdf {
-
-	private static final Logger LOG =
-			Logger.getLogger(ScryptKdf.class.getName());
-
-	private static final int MIN_COST = 256; // Min parameter N
-	private static final int MAX_COST = 1024 * 1024; // Max parameter N
-	private static final int BLOCK_SIZE = 8; // Parameter r
-	private static final int PARALLELIZATION = 1; // Parameter p
-	private static final int TARGET_MS = 1000;
-
-	private final Clock clock;
-
-	@Inject
-	ScryptKdf(Clock clock) {
-		this.clock = clock;
-	}
-
-	@Override
-	public int chooseCostParameter() {
-		// Increase the cost from min to max while measuring performance
-		int cost = MIN_COST;
-		while (cost * 2 <= MAX_COST && measureDuration(cost) * 2 <= TARGET_MS)
-			cost *= 2;
-		if (LOG.isLoggable(INFO))
-			LOG.info("KDF cost parameter " + cost);
-		return cost;
-	}
-
-	private long measureDuration(int cost) {
-		byte[] password = new byte[16], salt = new byte[32];
-		long start = clock.currentTimeMillis();
-		SCrypt.generate(password, salt, cost, BLOCK_SIZE, PARALLELIZATION,
-				SecretKey.LENGTH);
-		return clock.currentTimeMillis() - start;
-	}
-
-	@Override
-	public SecretKey deriveKey(String password, byte[] salt, int cost) {
-		long start = System.currentTimeMillis();
-		byte[] passwordBytes = StringUtils.toUtf8(password);
-		SecretKey k = new SecretKey(SCrypt.generate(passwordBytes, salt, cost,
-				BLOCK_SIZE, PARALLELIZATION, SecretKey.LENGTH));
-		long duration = System.currentTimeMillis() - start;
-		if (LOG.isLoggable(INFO))
-			LOG.info("Deriving key from password took " + duration + " ms");
-		return k;
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/crypto/Signature.java

@@ -22,25 +22,25 @@ interface Signature {
 	/**
 	 * @see {@link java.security.Signature#update(byte)}
 	 */
-	void update(byte b) throws GeneralSecurityException;
+	void update(byte b);
 
 	/**
 	 * @see {@link java.security.Signature#update(byte[])}
 	 */
-	void update(byte[] b) throws GeneralSecurityException;
+	void update(byte[] b);
 
 	/**
 	 * @see {@link java.security.Signature#update(byte[], int, int)}
 	 */
-	void update(byte[] b, int off, int len) throws GeneralSecurityException;
+	void update(byte[] b, int off, int len);
 
 	/**
 	 * @see {@link java.security.Signature#sign()}
 	 */
-	byte[] sign() throws GeneralSecurityException;
+	byte[] sign();
 
 	/**
 	 * @see {@link java.security.Signature#verify(byte[])}
 	 */
-	boolean verify(byte[] signature) throws GeneralSecurityException;
+	boolean verify(byte[] signature);
 }

bramble-core/src/main/java/org/briarproject/bramble/crypto/SignatureImpl.java

@@ -0,0 +1,90 @@
+package org.briarproject.bramble.crypto;
+
+import org.briarproject.bramble.api.crypto.PrivateKey;
+import org.briarproject.bramble.api.crypto.PublicKey;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.spongycastle.crypto.Digest;
+import org.spongycastle.crypto.params.ECPrivateKeyParameters;
+import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.spongycastle.crypto.params.ParametersWithRandom;
+import org.spongycastle.crypto.signers.DSADigestSigner;
+import org.spongycastle.crypto.signers.DSAKCalculator;
+import org.spongycastle.crypto.signers.ECDSASigner;
+import org.spongycastle.crypto.signers.HMacDSAKCalculator;
+
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+import java.util.logging.Logger;
+
+import javax.annotation.concurrent.NotThreadSafe;
+
+import static java.util.logging.Level.INFO;
+
+@NotThreadSafe
+@NotNullByDefault
+class SignatureImpl implements Signature {
+
+	private static final Logger LOG =
+			Logger.getLogger(SignatureImpl.class.getName());
+
+	private final SecureRandom secureRandom;
+	private final DSADigestSigner signer;
+
+	SignatureImpl(SecureRandom secureRandom) {
+		this.secureRandom = secureRandom;
+		Digest digest = new Blake2sDigest();
+		DSAKCalculator calculator = new HMacDSAKCalculator(digest);
+		signer = new DSADigestSigner(new ECDSASigner(calculator), digest);
+	}
+
+	@Override
+	public void initSign(PrivateKey k) throws GeneralSecurityException {
+		if (!(k instanceof Sec1PrivateKey))
+			throw new IllegalArgumentException();
+		ECPrivateKeyParameters priv = ((Sec1PrivateKey) k).getKey();
+		signer.init(true, new ParametersWithRandom(priv, secureRandom));
+	}
+
+	@Override
+	public void initVerify(PublicKey k) throws GeneralSecurityException {
+		if (!(k instanceof Sec1PublicKey))
+			throw new IllegalArgumentException();
+		ECPublicKeyParameters pub = ((Sec1PublicKey) k).getKey();
+		signer.init(false, pub);
+	}
+
+	@Override
+	public void update(byte b) {
+		signer.update(b);
+	}
+
+	@Override
+	public void update(byte[] b) {
+		update(b, 0, b.length);
+	}
+
+	@Override
+	public void update(byte[] b, int off, int len) {
+		signer.update(b, off, len);
+	}
+
+	@Override
+	public byte[] sign() {
+		long now = System.currentTimeMillis();
+		byte[] signature = signer.generateSignature();
+		long duration = System.currentTimeMillis() - now;
+		if (LOG.isLoggable(INFO))
+			LOG.info("Generating signature took " + duration + " ms");
+		return signature;
+	}
+
+	@Override
+	public boolean verify(byte[] signature) {
+		long now = System.currentTimeMillis();
+		boolean valid = signer.verifySignature(signature);
+		long duration = System.currentTimeMillis() - now;
+		if (LOG.isLoggable(INFO))
+			LOG.info("Verifying signature took " + duration + " ms");
+		return valid;
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/crypto/StreamEncrypterFactoryImpl.java

@@ -4,7 +4,6 @@ import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.api.crypto.StreamEncrypter;
 import org.briarproject.bramble.api.crypto.StreamEncrypterFactory;
-import org.briarproject.bramble.api.crypto.TransportCrypto;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 import org.briarproject.bramble.api.transport.StreamContext;
 
@@ -23,15 +22,12 @@ import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENG
 class StreamEncrypterFactoryImpl implements StreamEncrypterFactory {
 
 	private final CryptoComponent crypto;
-	private final TransportCrypto transportCrypto;
 	private final Provider<AuthenticatedCipher> cipherProvider;
 
 	@Inject
 	StreamEncrypterFactoryImpl(CryptoComponent crypto,
-			TransportCrypto transportCrypto,
 			Provider<AuthenticatedCipher> cipherProvider) {
 		this.crypto = crypto;
-		this.transportCrypto = transportCrypto;
 		this.cipherProvider = cipherProvider;
 	}
 
@@ -41,8 +37,7 @@ class StreamEncrypterFactoryImpl implements StreamEncrypterFactory {
 		AuthenticatedCipher cipher = cipherProvider.get();
 		long streamNumber = ctx.getStreamNumber();
 		byte[] tag = new byte[TAG_LENGTH];
-		transportCrypto.encodeTag(tag, ctx.getTagKey(), PROTOCOL_VERSION,
-				streamNumber);
+		crypto.encodeTag(tag, ctx.getTagKey(), PROTOCOL_VERSION, streamNumber);
 		byte[] streamHeaderNonce = new byte[STREAM_HEADER_NONCE_LENGTH];
 		crypto.getSecureRandom().nextBytes(streamHeaderNonce);
 		SecretKey frameKey = crypto.generateSecretKey();

bramble-core/src/main/java/org/briarproject/bramble/crypto/TransportCryptoImpl.java

@@ -1,138 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.CryptoComponent;
-import org.briarproject.bramble.api.crypto.SecretKey;
-import org.briarproject.bramble.api.crypto.TransportCrypto;
-import org.briarproject.bramble.api.plugin.TransportId;
-import org.briarproject.bramble.api.transport.IncomingKeys;
-import org.briarproject.bramble.api.transport.OutgoingKeys;
-import org.briarproject.bramble.api.transport.TransportKeys;
-import org.briarproject.bramble.util.ByteUtils;
-import org.briarproject.bramble.util.StringUtils;
-import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.digests.Blake2bDigest;
-
-import javax.inject.Inject;
-
-import static org.briarproject.bramble.api.transport.TransportConstants.ALICE_HEADER_LABEL;
-import static org.briarproject.bramble.api.transport.TransportConstants.ALICE_TAG_LABEL;
-import static org.briarproject.bramble.api.transport.TransportConstants.BOB_HEADER_LABEL;
-import static org.briarproject.bramble.api.transport.TransportConstants.BOB_TAG_LABEL;
-import static org.briarproject.bramble.api.transport.TransportConstants.ROTATE_LABEL;
-import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENGTH;
-import static org.briarproject.bramble.util.ByteUtils.INT_16_BYTES;
-import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
-import static org.briarproject.bramble.util.ByteUtils.MAX_16_BIT_UNSIGNED;
-import static org.briarproject.bramble.util.ByteUtils.MAX_32_BIT_UNSIGNED;
-
-class TransportCryptoImpl implements TransportCrypto {
-
-	private final CryptoComponent crypto;
-
-	@Inject
-	TransportCryptoImpl(CryptoComponent crypto) {
-		this.crypto = crypto;
-	}
-
-	@Override
-	public TransportKeys deriveTransportKeys(TransportId t,
-			SecretKey master, long rotationPeriod, boolean alice,
-			boolean active) {
-		// Keys for the previous period are derived from the master secret
-		SecretKey inTagPrev = deriveTagKey(master, t, !alice);
-		SecretKey inHeaderPrev = deriveHeaderKey(master, t, !alice);
-		SecretKey outTagPrev = deriveTagKey(master, t, alice);
-		SecretKey outHeaderPrev = deriveHeaderKey(master, t, alice);
-		// Derive the keys for the current and next periods
-		SecretKey inTagCurr = rotateKey(inTagPrev, rotationPeriod);
-		SecretKey inHeaderCurr = rotateKey(inHeaderPrev, rotationPeriod);
-		SecretKey inTagNext = rotateKey(inTagCurr, rotationPeriod + 1);
-		SecretKey inHeaderNext = rotateKey(inHeaderCurr, rotationPeriod + 1);
-		SecretKey outTagCurr = rotateKey(outTagPrev, rotationPeriod);
-		SecretKey outHeaderCurr = rotateKey(outHeaderPrev, rotationPeriod);
-		// Initialise the reordering windows and stream counters
-		IncomingKeys inPrev = new IncomingKeys(inTagPrev, inHeaderPrev,
-				rotationPeriod - 1);
-		IncomingKeys inCurr = new IncomingKeys(inTagCurr, inHeaderCurr,
-				rotationPeriod);
-		IncomingKeys inNext = new IncomingKeys(inTagNext, inHeaderNext,
-				rotationPeriod + 1);
-		OutgoingKeys outCurr = new OutgoingKeys(outTagCurr, outHeaderCurr,
-				rotationPeriod, active);
-		// Collect and return the keys
-		return new TransportKeys(t, inPrev, inCurr, inNext, outCurr);
-	}
-
-	@Override
-	public TransportKeys rotateTransportKeys(TransportKeys k,
-			long rotationPeriod) {
-		if (k.getRotationPeriod() >= rotationPeriod) return k;
-		IncomingKeys inPrev = k.getPreviousIncomingKeys();
-		IncomingKeys inCurr = k.getCurrentIncomingKeys();
-		IncomingKeys inNext = k.getNextIncomingKeys();
-		OutgoingKeys outCurr = k.getCurrentOutgoingKeys();
-		long startPeriod = outCurr.getRotationPeriod();
-		boolean active = outCurr.isActive();
-		// Rotate the keys
-		for (long p = startPeriod + 1; p <= rotationPeriod; p++) {
-			inPrev = inCurr;
-			inCurr = inNext;
-			SecretKey inNextTag = rotateKey(inNext.getTagKey(), p + 1);
-			SecretKey inNextHeader = rotateKey(inNext.getHeaderKey(), p + 1);
-			inNext = new IncomingKeys(inNextTag, inNextHeader, p + 1);
-			SecretKey outCurrTag = rotateKey(outCurr.getTagKey(), p);
-			SecretKey outCurrHeader = rotateKey(outCurr.getHeaderKey(), p);
-			outCurr = new OutgoingKeys(outCurrTag, outCurrHeader, p, active);
-		}
-		// Collect and return the keys
-		return new TransportKeys(k.getTransportId(), inPrev, inCurr, inNext,
-				outCurr);
-	}
-
-	private SecretKey rotateKey(SecretKey k, long rotationPeriod) {
-		byte[] period = new byte[INT_64_BYTES];
-		ByteUtils.writeUint64(rotationPeriod, period, 0);
-		return crypto.deriveKey(ROTATE_LABEL, k, period);
-	}
-
-	private SecretKey deriveTagKey(SecretKey master, TransportId t,
-			boolean alice) {
-		String label = alice ? ALICE_TAG_LABEL : BOB_TAG_LABEL;
-		byte[] id = StringUtils.toUtf8(t.getString());
-		return crypto.deriveKey(label, master, id);
-	}
-
-	private SecretKey deriveHeaderKey(SecretKey master, TransportId t,
-			boolean alice) {
-		String label = alice ? ALICE_HEADER_LABEL : BOB_HEADER_LABEL;
-		byte[] id = StringUtils.toUtf8(t.getString());
-		return crypto.deriveKey(label, master, id);
-	}
-
-	@Override
-	public void encodeTag(byte[] tag, SecretKey tagKey, int protocolVersion,
-			long streamNumber) {
-		if (tag.length < TAG_LENGTH) throw new IllegalArgumentException();
-		if (protocolVersion < 0 || protocolVersion > MAX_16_BIT_UNSIGNED)
-			throw new IllegalArgumentException();
-		if (streamNumber < 0 || streamNumber > MAX_32_BIT_UNSIGNED)
-			throw new IllegalArgumentException();
-		// Initialise the PRF
-		Digest prf = new Blake2bDigest(tagKey.getBytes(), 32, null, null);
-		// The output of the PRF must be long enough to use as a tag
-		int macLength = prf.getDigestSize();
-		if (macLength < TAG_LENGTH) throw new IllegalStateException();
-		// The input is the protocol version as a 16-bit integer, followed by
-		// the stream number as a 64-bit integer
-		byte[] protocolVersionBytes = new byte[INT_16_BYTES];
-		ByteUtils.writeUint16(protocolVersion, protocolVersionBytes, 0);
-		prf.update(protocolVersionBytes, 0, protocolVersionBytes.length);
-		byte[] streamNumberBytes = new byte[INT_64_BYTES];
-		ByteUtils.writeUint64(streamNumber, streamNumberBytes, 0);
-		prf.update(streamNumberBytes, 0, streamNumberBytes.length);
-		byte[] mac = new byte[macLength];
-		prf.doFinal(mac, 0);
-		// The output is the first TAG_LENGTH bytes of the MAC
-		System.arraycopy(mac, 0, tag, 0, TAG_LENGTH);
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/db/Database.java

@@ -21,8 +21,6 @@ import org.briarproject.bramble.api.sync.Message;
 import org.briarproject.bramble.api.sync.MessageId;
 import org.briarproject.bramble.api.sync.MessageStatus;
 import org.briarproject.bramble.api.sync.ValidationManager.State;
-import org.briarproject.bramble.api.transport.KeySet;
-import org.briarproject.bramble.api.transport.KeySetId;
 import org.briarproject.bramble.api.transport.TransportKeys;
 
 import java.util.Collection;
@@ -107,11 +105,10 @@ interface Database<T> {
 			@Nullable ContactId sender) throws DbException;
 
 	/**
-	 * Adds a dependency between two messages, where the dependent message is
-	 * in the given state.
+	 * Adds a dependency between two messages in the given group.
 	 */
-	void addMessageDependency(T txn, Message dependent, MessageId dependency,
-			State dependentState) throws DbException;
+	void addMessageDependency(T txn, GroupId g, MessageId dependent,
+			MessageId dependency) throws DbException;
 
 	/**
 	 * Records that a message has been offered by the given contact.
@@ -125,16 +122,9 @@ interface Database<T> {
 			throws DbException;
 
 	/**
-	 * Stores the given transport keys, optionally binding them to the given
-	 * contact, and returns a key set ID.
+	 * Stores transport keys for a newly added contact.
 	 */
-	KeySetId addTransportKeys(T txn, @Nullable ContactId c, TransportKeys k)
-			throws DbException;
-
-	/**
-	 * Binds the given keys for the given transport to the given contact.
-	 */
-	void bindTransportKeys(T txn, ContactId c, TransportId t, KeySetId k)
+	void addTransportKeys(T txn, ContactId c, TransportKeys k)
 			throws DbException;
 
 	/**
@@ -302,8 +292,10 @@ interface Database<T> {
 
 	/**
 	 * Returns the IDs and states of all dependencies of the given message.
-	 * For missing dependencies and dependencies in other groups, the state
-	 * {@link State UNKNOWN} is returned.
+	 * Missing dependencies have the state {@link State UNKNOWN}.
+	 * Dependencies in other groups have the state {@link State INVALID}.
+	 * Note that these states are not set on the dependencies themselves; the
+	 * returned states should only be taken in the context of the given message.
 	 * <p/>
 	 * Read-only.
 	 */
@@ -311,9 +303,9 @@ interface Database<T> {
 			throws DbException;
 
 	/**
-	 * Returns the IDs and states of all dependents of the given message.
-	 * Dependents in other groups are not returned. If the given message is
-	 * missing, no dependents are returned.
+	 * Returns all IDs and states of all dependents of the given message.
+	 * Messages in other groups that declare a dependency on the given message
+	 * will be returned even though such dependencies are invalid.
 	 * <p/>
 	 * Read-only.
 	 */
@@ -495,14 +487,15 @@ interface Database<T> {
 	 * <p/>
 	 * Read-only.
 	 */
-	Collection<KeySet> getTransportKeys(T txn, TransportId t)
+	Map<ContactId, TransportKeys> getTransportKeys(T txn, TransportId t)
 			throws DbException;
 
 	/**
-	 * Increments the outgoing stream counter for the given transport keys.
+	 * Increments the outgoing stream counter for the given contact and
+	 * transport in the given rotation period.
 	 */
-	void incrementStreamCounter(T txn, TransportId t, KeySetId k)
-			throws DbException;
+	void incrementStreamCounter(T txn, ContactId c, TransportId t,
+			long rotationPeriod) throws DbException;
 
 	/**
 	 * Marks the given messages as not needing to be acknowledged to the
@@ -592,12 +585,6 @@ interface Database<T> {
 	 */
 	void removeTransport(T txn, TransportId t) throws DbException;
 
-	/**
-	 * Removes the given transport keys from the database.
-	 */
-	void removeTransportKeys(T txn, TransportId t, KeySetId k)
-			throws DbException;
-
 	/**
 	 * Resets the transmission count and expiry time of the given message with
 	 * respect to the given contact.
@@ -633,18 +620,12 @@ interface Database<T> {
 	void setMessageState(T txn, MessageId m, State state) throws DbException;
 
 	/**
-	 * Sets the reordering window for the given key set and transport in the
+	 * Sets the reordering window for the given contact and transport in the
 	 * given rotation period.
 	 */
-	void setReorderingWindow(T txn, KeySetId k, TransportId t,
+	void setReorderingWindow(T txn, ContactId c, TransportId t,
 			long rotationPeriod, long base, byte[] bitmap) throws DbException;
 
-	/**
-	 * Marks the given transport keys as usable for outgoing streams.
-	 */
-	void setTransportKeysActive(T txn, TransportId t, KeySetId k)
-		throws DbException;
-
 	/**
 	 * Updates the transmission count and expiry time of the given message
 	 * with respect to the given contact, using the latency of the transport
@@ -656,5 +637,6 @@ interface Database<T> {
 	/**
 	 * Stores the given transport keys, deleting any keys they have replaced.
 	 */
-	void updateTransportKeys(T txn, Collection<KeySet> keys) throws DbException;
+	void updateTransportKeys(T txn, Map<ContactId, TransportKeys> keys)
+			throws DbException;
 }

bramble-core/src/main/java/org/briarproject/bramble/db/DatabaseComponentImpl.java

@@ -51,15 +51,15 @@ import org.briarproject.bramble.api.sync.event.MessageToAckEvent;
 import org.briarproject.bramble.api.sync.event.MessageToRequestEvent;
 import org.briarproject.bramble.api.sync.event.MessagesAckedEvent;
 import org.briarproject.bramble.api.sync.event.MessagesSentEvent;
-import org.briarproject.bramble.api.transport.KeySet;
-import org.briarproject.bramble.api.transport.KeySetId;
 import org.briarproject.bramble.api.transport.TransportKeys;
 
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 import java.util.logging.Logger;
@@ -234,27 +234,15 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 	}
 
 	@Override
-	public KeySetId addTransportKeys(Transaction transaction,
-			@Nullable ContactId c, TransportKeys k) throws DbException {
-		if (transaction.isReadOnly()) throw new IllegalArgumentException();
-		T txn = unbox(transaction);
-		if (c != null && !db.containsContact(txn, c))
-			throw new NoSuchContactException();
-		if (!db.containsTransport(txn, k.getTransportId()))
-			throw new NoSuchTransportException();
-		return db.addTransportKeys(txn, c, k);
-	}
-
-	@Override
-	public void bindTransportKeys(Transaction transaction, ContactId c,
-			TransportId t, KeySetId k) throws DbException {
+	public void addTransportKeys(Transaction transaction, ContactId c,
+			TransportKeys k) throws DbException {
 		if (transaction.isReadOnly()) throw new IllegalArgumentException();
 		T txn = unbox(transaction);
 		if (!db.containsContact(txn, c))
 			throw new NoSuchContactException();
-		if (!db.containsTransport(txn, t))
+		if (!db.containsTransport(txn, k.getTransportId()))
 			throw new NoSuchTransportException();
-		db.bindTransportKeys(txn, c, t, k);
+		db.addTransportKeys(txn, c, k);
 	}
 
 	@Override
@@ -598,8 +586,8 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 	}
 
 	@Override
-	public Collection<KeySet> getTransportKeys(Transaction transaction,
-			TransportId t) throws DbException {
+	public Map<ContactId, TransportKeys> getTransportKeys(
+			Transaction transaction, TransportId t) throws DbException {
 		T txn = unbox(transaction);
 		if (!db.containsTransport(txn, t))
 			throw new NoSuchTransportException();
@@ -607,13 +595,15 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 	}
 
 	@Override
-	public void incrementStreamCounter(Transaction transaction, TransportId t,
-			KeySetId k) throws DbException {
+	public void incrementStreamCounter(Transaction transaction, ContactId c,
+			TransportId t, long rotationPeriod) throws DbException {
 		if (transaction.isReadOnly()) throw new IllegalArgumentException();
 		T txn = unbox(transaction);
+		if (!db.containsContact(txn, c))
+			throw new NoSuchContactException();
 		if (!db.containsTransport(txn, t))
 			throw new NoSuchTransportException();
-		db.incrementStreamCounter(txn, t, k);
+		db.incrementStreamCounter(txn, c, t, rotationPeriod);
 	}
 
 	@Override
@@ -775,7 +765,6 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 		T txn = unbox(transaction);
 		if (!db.containsMessage(txn, m))
 			throw new NoSuchMessageException();
-		// TODO: Don't allow messages with dependents to be removed
 		db.removeMessage(txn, m);
 	}
 
@@ -789,16 +778,6 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 		db.removeTransport(txn, t);
 	}
 
-	@Override
-	public void removeTransportKeys(Transaction transaction,
-			TransportId t, KeySetId k) throws DbException {
-		if (transaction.isReadOnly()) throw new IllegalArgumentException();
-		T txn = unbox(transaction);
-		if (!db.containsTransport(txn, t))
-			throw new NoSuchTransportException();
-		db.removeTransportKeys(txn, t, k);
-	}
-
 	@Override
 	public void setContactVerified(Transaction transaction, ContactId c)
 			throws DbException {
@@ -871,42 +850,38 @@ class DatabaseComponentImpl<T> implements DatabaseComponent {
 		T txn = unbox(transaction);
 		if (!db.containsMessage(txn, dependent.getId()))
 			throw new NoSuchMessageException();
-		State dependentState = db.getMessageState(txn, dependent.getId());
 		for (MessageId dependency : dependencies) {
-			db.addMessageDependency(txn, dependent, dependency, dependentState);
+			db.addMessageDependency(txn, dependent.getGroupId(),
+					dependent.getId(), dependency);
 		}
 	}
 
 	@Override
-	public void setReorderingWindow(Transaction transaction, KeySetId k,
+	public void setReorderingWindow(Transaction transaction, ContactId c,
 			TransportId t, long rotationPeriod, long base, byte[] bitmap)
 			throws DbException {
 		if (transaction.isReadOnly()) throw new IllegalArgumentException();
 		T txn = unbox(transaction);
+		if (!db.containsContact(txn, c))
+			throw new NoSuchContactException();
 		if (!db.containsTransport(txn, t))
 			throw new NoSuchTransportException();
-		db.setReorderingWindow(txn, k, t, rotationPeriod, base, bitmap);
-	}
-
-	@Override
-	public void setTransportKeysActive(Transaction transaction, TransportId t,
-			KeySetId k) throws DbException {
-		if (transaction.isReadOnly()) throw new IllegalArgumentException();
-		T txn = unbox(transaction);
-		if (!db.containsTransport(txn, t))
-			throw new NoSuchTransportException();
-		db.setTransportKeysActive(txn, t, k);
+		db.setReorderingWindow(txn, c, t, rotationPeriod, base, bitmap);
 	}
 
 	@Override
 	public void updateTransportKeys(Transaction transaction,
-			Collection<KeySet> keys) throws DbException {
+			Map<ContactId, TransportKeys> keys) throws DbException {
 		if (transaction.isReadOnly()) throw new IllegalArgumentException();
 		T txn = unbox(transaction);
-		Collection<KeySet> filtered = new ArrayList<>();
-		for (KeySet ks : keys) {
-			TransportId t = ks.getTransportKeys().getTransportId();
-			if (db.containsTransport(txn, t)) filtered.add(ks);
+		Map<ContactId, TransportKeys> filtered = new HashMap<>();
+		for (Entry<ContactId, TransportKeys> e : keys.entrySet()) {
+			ContactId c = e.getKey();
+			TransportKeys k = e.getValue();
+			if (db.containsContact(txn, c)
+					&& db.containsTransport(txn, k.getTransportId())) {
+				filtered.put(c, k);
+			}
 		}
 		db.updateTransportKeys(txn, filtered);
 	}

bramble-core/src/main/java/org/briarproject/bramble/db/H2Database.java

@@ -24,23 +24,21 @@ import javax.inject.Inject;
 class H2Database extends JdbcDatabase {
 
 	private static final String HASH_TYPE = "BINARY(32)";
-	private static final String SECRET_TYPE = "BINARY(32)";
 	private static final String BINARY_TYPE = "BINARY";
 	private static final String COUNTER_TYPE = "INT NOT NULL AUTO_INCREMENT";
-	private static final String STRING_TYPE = "VARCHAR";
+	private static final String SECRET_TYPE = "BINARY(32)";
 
 	private final DatabaseConfig config;
 	private final String url;
 
 	@Inject
 	H2Database(DatabaseConfig config, Clock clock) {
-		super(HASH_TYPE, SECRET_TYPE, BINARY_TYPE, COUNTER_TYPE, STRING_TYPE,
-				clock);
+		super(HASH_TYPE, BINARY_TYPE, COUNTER_TYPE, SECRET_TYPE, clock);
 		this.config = config;
 		File dir = config.getDatabaseDirectory();
 		String path = new File(dir, "db").getAbsolutePath();
 		url = "jdbc:h2:split:" + path + ";CIPHER=AES;MULTI_THREADED=1"
-				+ ";WRITE_DELAY=0";
+				+ ";WRITE_DELAY=0;DB_CLOSE_ON_EXIT=false";
 	}
 
 	@Override
@@ -95,10 +93,6 @@ class H2Database extends JdbcDatabase {
 		// Separate the file password from the user password with a space
 		String hex = StringUtils.toHexString(key.getBytes());
 		props.put("password", hex + " password");
-		return DriverManager.getConnection(getUrl(), props);
-	}
-
-	String getUrl() {
-		return url;
+		return DriverManager.getConnection(url, props);
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/db/HyperSqlDatabase.java

@@ -1,101 +0,0 @@
-package org.briarproject.bramble.db;
-
-import org.briarproject.bramble.api.crypto.SecretKey;
-import org.briarproject.bramble.api.db.DatabaseConfig;
-import org.briarproject.bramble.api.db.DbException;
-import org.briarproject.bramble.api.db.MigrationListener;
-import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.system.Clock;
-import org.briarproject.bramble.util.StringUtils;
-
-import java.io.File;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.annotation.Nullable;
-import javax.inject.Inject;
-
-/**
- * Contains all the HSQLDB-specific code for the database.
- */
-@NotNullByDefault
-class HyperSqlDatabase extends JdbcDatabase {
-
-	private static final String HASH_TYPE = "BINARY(32)";
-	private static final String SECRET_TYPE = "BINARY(32)";
-	private static final String BINARY_TYPE = "BINARY";
-	private static final String COUNTER_TYPE =
-			"INTEGER NOT NULL GENERATED ALWAYS AS IDENTITY(START WITH 1)";
-	private static final String STRING_TYPE = "VARCHAR";
-
-	private final DatabaseConfig config;
-	private final String url;
-
-	@Inject
-	HyperSqlDatabase(DatabaseConfig config, Clock clock) {
-		super(HASH_TYPE, SECRET_TYPE, BINARY_TYPE, COUNTER_TYPE, STRING_TYPE,
-				clock);
-		this.config = config;
-		File dir = config.getDatabaseDirectory();
-		String path = new File(dir, "db").getAbsolutePath();
-		url = "jdbc:hsqldb:file:" + path
-				+ ";sql.enforce_size=false;allow_empty_batch=true"
-				+ ";encrypt_lobs=true;crypt_type=AES";
-	}
-
-	@Override
-	public boolean open(@Nullable MigrationListener listener) throws DbException {
-		boolean reopen = config.databaseExists();
-		if (!reopen) config.getDatabaseDirectory().mkdirs();
-		super.open("org.hsqldb.jdbc.JDBCDriver", reopen, listener);
-		return reopen;
-	}
-
-	@Override
-	public void close() throws DbException {
-		try {
-			super.closeAllConnections();
-			Connection c = createConnection();
-			Statement s = c.createStatement();
-			s.executeQuery("SHUTDOWN");
-			s.close();
-			c.close();
-		} catch (SQLException e) {
-			throw new DbException(e);
-		}
-	}
-
-	@Override
-	public long getFreeSpace() throws DbException {
-		File dir = config.getDatabaseDirectory();
-		long maxSize = config.getMaxSize();
-		long free = dir.getFreeSpace();
-		long used = getDiskSpace(dir);
-		long quota = maxSize - used;
-		return Math.min(free, quota);
-	}
-
-	private long getDiskSpace(File f) {
-		if (f.isDirectory()) {
-			long total = 0;
-			File[] children = f.listFiles();
-			if (children != null)
-				for (File child : children) total += getDiskSpace(child);
-			return total;
-		} else if (f.isFile()) {
-			return f.length();
-		} else {
-			return 0;
-		}
-	}
-
-	@Override
-	protected Connection createConnection() throws SQLException {
-		SecretKey key = config.getEncryptionKey();
-		if (key == null) throw new IllegalStateException();
-		String hex = StringUtils.toHexString(key.getBytes());
-		return DriverManager.getConnection(url + ";crypt_key=" + hex);
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/db/Migration30_31.java

@@ -0,0 +1,75 @@
+package org.briarproject.bramble.db;
+
+import org.briarproject.bramble.api.db.DbException;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.logging.Logger;
+
+import javax.annotation.Nullable;
+
+import static java.util.logging.Level.WARNING;
+
+class Migration30_31 implements Migration<Connection> {
+
+	private static final Logger LOG =
+			Logger.getLogger(Migration30_31.class.getName());
+
+	@Override
+	public int getStartVersion() {
+		return 30;
+	}
+
+	@Override
+	public int getEndVersion() {
+		return 31;
+	}
+
+	@Override
+	public void migrate(Connection txn) throws DbException {
+		Statement s = null;
+		try {
+			s = txn.createStatement();
+			// Add groupId column
+			s.execute("ALTER TABLE messageMetadata"
+					+ " ADD COLUMN groupId BINARY(32) AFTER messageId");
+			// Populate groupId column
+			s.execute("UPDATE messageMetadata AS mm SET groupId ="
+					+ " (SELECT groupId FROM messages AS m"
+					+ " WHERE mm.messageId = m.messageId)");
+			// Add not null constraint now column has been populated
+			s.execute("ALTER TABLE messageMetadata"
+					+ " ALTER COLUMN groupId"
+					+ " SET NOT NULL");
+			// Add foreign key constraint
+			s.execute("ALTER TABLE messageMetadata"
+					+ " ADD CONSTRAINT groupIdForeignKey"
+					+ " FOREIGN KEY (groupId)"
+					+ " REFERENCES groups (groupId)"
+					+ " ON DELETE CASCADE");
+			// Add state column
+			s.execute("ALTER TABLE messageMetadata"
+					+ " ADD COLUMN state INT AFTER groupId");
+			// Populate state column
+			s.execute("UPDATE messageMetadata AS mm SET state ="
+					+ " (SELECT state FROM messages AS m"
+					+ " WHERE mm.messageId = m.messageId)");
+			// Add not null constraint now column has been populated
+			s.execute("ALTER TABLE messageMetadata"
+					+ " ALTER COLUMN state"
+					+ " SET NOT NULL");
+		} catch (SQLException e) {
+			tryToClose(s);
+			throw new DbException(e);
+		}
+	}
+
+	private void tryToClose(@Nullable Statement s) {
+		try {
+			if (s != null) s.close();
+		} catch (SQLException e) {
+			if (LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+		}
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/db/Migration31_32.java

@@ -0,0 +1,84 @@
+package org.briarproject.bramble.db;
+
+import org.briarproject.bramble.api.db.DbException;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.logging.Logger;
+
+import javax.annotation.Nullable;
+
+import static java.util.logging.Level.WARNING;
+
+class Migration31_32 implements Migration<Connection> {
+
+	private static final Logger LOG =
+			Logger.getLogger(Migration31_32.class.getName());
+
+	@Override
+	public int getStartVersion() {
+		return 31;
+	}
+
+	@Override
+	public int getEndVersion() {
+		return 32;
+	}
+
+	@Override
+	public void migrate(Connection txn) throws DbException {
+		Statement s = null;
+		try {
+			s = txn.createStatement();
+			// Add denormalised columns
+			s.execute("ALTER TABLE statuses ADD COLUMN"
+					+ " (groupId BINARY(32),"
+					+ " timestamp BIGINT,"
+					+ " length INT,"
+					+ " state INT,"
+					+ " groupShared BOOLEAN,"
+					+ " messageShared BOOLEAN,"
+					+ " deleted BOOLEAN)");
+			// Populate columns from messages table
+			s.execute("UPDATE statuses AS s SET (groupId, timestamp, length,"
+					+ " state, messageShared, deleted) ="
+					+ " (SELECT groupId, timestamp, length, state, shared,"
+					+ " raw IS NULL FROM messages AS m"
+					+ " WHERE s.messageId = m.messageId)");
+			// Populate column from groupVisibilities table
+			s.execute("UPDATE statuses AS s SET groupShared ="
+					+ " (SELECT shared FROM groupVisibilities AS gv"
+					+ " WHERE s.contactId = gv.contactId"
+					+ " AND s.groupId = gv.groupId)");
+			// Add not null constraints now columns have been populated
+			s.execute("ALTER TABLE statuses ALTER COLUMN groupId SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN timestamp"
+					+ " SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN length SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN state SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN groupShared"
+					+ " SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN messageShared"
+					+ " SET NOT NULL");
+			s.execute("ALTER TABLE statuses ALTER COLUMN deleted SET NOT NULL");
+			// Add foreign key constraint
+			s.execute("ALTER TABLE statuses"
+					+ " ADD CONSTRAINT statusesForeignKeyGroupId"
+					+ " FOREIGN KEY (groupId)"
+					+ " REFERENCES groups (groupId)"
+					+ " ON DELETE CASCADE");
+		} catch (SQLException e) {
+			tryToClose(s);
+			throw new DbException(e);
+		}
+	}
+
+	private void tryToClose(@Nullable Statement s) {
+		try {
+			if (s != null) s.close();
+		} catch (SQLException e) {
+			if (LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+		}
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/identity/AuthorFactoryImpl.java

@@ -1,65 +1,61 @@
 package org.briarproject.bramble.identity;
 
 import org.briarproject.bramble.api.crypto.CryptoComponent;
+import org.briarproject.bramble.api.data.BdfWriter;
+import org.briarproject.bramble.api.data.BdfWriterFactory;
 import org.briarproject.bramble.api.identity.Author;
 import org.briarproject.bramble.api.identity.AuthorFactory;
 import org.briarproject.bramble.api.identity.AuthorId;
 import org.briarproject.bramble.api.identity.LocalAuthor;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 import org.briarproject.bramble.api.system.Clock;
-import org.briarproject.bramble.util.ByteUtils;
-import org.briarproject.bramble.util.StringUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
 
-import static org.briarproject.bramble.api.identity.Author.FORMAT_VERSION;
-import static org.briarproject.bramble.api.identity.AuthorId.LABEL;
-import static org.briarproject.bramble.util.ByteUtils.INT_32_BYTES;
-
 @Immutable
 @NotNullByDefault
 class AuthorFactoryImpl implements AuthorFactory {
 
 	private final CryptoComponent crypto;
+	private final BdfWriterFactory bdfWriterFactory;
 	private final Clock clock;
 
 	@Inject
-	AuthorFactoryImpl(CryptoComponent crypto, Clock clock) {
+	AuthorFactoryImpl(CryptoComponent crypto, BdfWriterFactory bdfWriterFactory,
+			Clock clock) {
 		this.crypto = crypto;
+		this.bdfWriterFactory = bdfWriterFactory;
 		this.clock = clock;
 	}
 
 	@Override
 	public Author createAuthor(String name, byte[] publicKey) {
-		return createAuthor(FORMAT_VERSION, name, publicKey);
-	}
-
-	@Override
-	public Author createAuthor(int formatVersion, String name,
-			byte[] publicKey) {
-		AuthorId id = getId(formatVersion, name, publicKey);
-		return new Author(id, formatVersion, name, publicKey);
+		return new Author(getId(name, publicKey), name, publicKey);
 	}
 
 	@Override
 	public LocalAuthor createLocalAuthor(String name, byte[] publicKey,
 			byte[] privateKey) {
-		return createLocalAuthor(FORMAT_VERSION, name, publicKey, privateKey);
+		return new LocalAuthor(getId(name, publicKey), name, publicKey,
+				privateKey, clock.currentTimeMillis());
 	}
 
-	@Override
-	public LocalAuthor createLocalAuthor(int formatVersion, String name,
-			byte[] publicKey, byte[] privateKey) {
-		AuthorId id = getId(formatVersion, name, publicKey);
-		return new LocalAuthor(id, formatVersion, name, publicKey, privateKey,
-				clock.currentTimeMillis());
-	}
-
-	private AuthorId getId(int formatVersion, String name, byte[] publicKey) {
-		byte[] formatVersionBytes = new byte[INT_32_BYTES];
-		ByteUtils.writeUint32(formatVersion, formatVersionBytes, 0);
-		return new AuthorId(crypto.hash(LABEL, formatVersionBytes,
-				StringUtils.toUtf8(name), publicKey));
+	private AuthorId getId(String name, byte[] publicKey) {
+		ByteArrayOutputStream out = new ByteArrayOutputStream();
+		BdfWriter w = bdfWriterFactory.createWriter(out);
+		try {
+			w.writeListStart();
+			w.writeString(name);
+			w.writeRaw(publicKey);
+			w.writeListEnd();
+		} catch (IOException e) {
+			// Shouldn't happen with ByteArrayOutputStream
+			throw new RuntimeException(e);
+		}
+		return new AuthorId(crypto.hash(AuthorId.LABEL, out.toByteArray()));
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/identity/AuthorReader.java

@@ -0,0 +1,36 @@
+package org.briarproject.bramble.identity;
+
+import org.briarproject.bramble.api.FormatException;
+import org.briarproject.bramble.api.data.BdfReader;
+import org.briarproject.bramble.api.data.ObjectReader;
+import org.briarproject.bramble.api.identity.Author;
+import org.briarproject.bramble.api.identity.AuthorFactory;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+import java.io.IOException;
+
+import javax.annotation.concurrent.Immutable;
+
+import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
+import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
+
+@Immutable
+@NotNullByDefault
+class AuthorReader implements ObjectReader<Author> {
+
+	private final AuthorFactory authorFactory;
+
+	AuthorReader(AuthorFactory authorFactory) {
+		this.authorFactory = authorFactory;
+	}
+
+	@Override
+	public Author readObject(BdfReader r) throws IOException {
+		r.readListStart();
+		String name = r.readString(MAX_AUTHOR_NAME_LENGTH);
+		if (name.length() == 0) throw new FormatException();
+		byte[] publicKey = r.readRaw(MAX_PUBLIC_KEY_LENGTH);
+		r.readListEnd();
+		return authorFactory.createAuthor(name, publicKey);
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/identity/IdentityModule.java

@@ -1,7 +1,13 @@
 package org.briarproject.bramble.identity;
 
+import org.briarproject.bramble.api.crypto.CryptoComponent;
+import org.briarproject.bramble.api.data.BdfWriterFactory;
+import org.briarproject.bramble.api.data.ObjectReader;
+import org.briarproject.bramble.api.db.DatabaseComponent;
+import org.briarproject.bramble.api.identity.Author;
 import org.briarproject.bramble.api.identity.AuthorFactory;
 import org.briarproject.bramble.api.identity.IdentityManager;
+import org.briarproject.bramble.api.system.Clock;
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
@@ -18,14 +24,19 @@ public class IdentityModule {
 	}
 
 	@Provides
-	AuthorFactory provideAuthorFactory(AuthorFactoryImpl authorFactory) {
-		return authorFactory;
+	AuthorFactory provideAuthorFactory(CryptoComponent crypto,
+			BdfWriterFactory bdfWriterFactory, Clock clock) {
+		return new AuthorFactoryImpl(crypto, bdfWriterFactory, clock);
 	}
 
 	@Provides
 	@Singleton
-	IdentityManager provideIdentityManager(
-			IdentityManagerImpl identityManager) {
-		return identityManager;
+	IdentityManager provideIdentityModule(DatabaseComponent db) {
+		return new IdentityManagerImpl(db);
+	}
+
+	@Provides
+	ObjectReader<Author> provideAuthorReader(AuthorFactory authorFactory) {
+		return new AuthorReader(authorFactory);
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/KeyAgreementConnector.java

@@ -1,6 +1,6 @@
 package org.briarproject.bramble.keyagreement;
 
-import org.briarproject.bramble.api.crypto.KeyAgreementCrypto;
+import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.KeyPair;
 import org.briarproject.bramble.api.data.BdfList;
 import org.briarproject.bramble.api.keyagreement.KeyAgreementConnection;
@@ -41,7 +41,7 @@ class KeyAgreementConnector {
 			Logger.getLogger(KeyAgreementConnector.class.getName());
 
 	private final Callbacks callbacks;
-	private final KeyAgreementCrypto keyAgreementCrypto;
+	private final CryptoComponent crypto;
 	private final PluginManager pluginManager;
 	private final ConnectionChooser connectionChooser;
 
@@ -53,10 +53,10 @@ class KeyAgreementConnector {
 	private volatile boolean alice = false, stopped = false;
 
 	KeyAgreementConnector(Callbacks callbacks,
-			KeyAgreementCrypto keyAgreementCrypto, PluginManager pluginManager,
+			CryptoComponent crypto, PluginManager pluginManager,
 			ConnectionChooser connectionChooser) {
 		this.callbacks = callbacks;
-		this.keyAgreementCrypto = keyAgreementCrypto;
+		this.crypto = crypto;
 		this.pluginManager = pluginManager;
 		this.connectionChooser = connectionChooser;
 	}
@@ -64,8 +64,8 @@ class KeyAgreementConnector {
 	Payload listen(KeyPair localKeyPair) {
 		LOG.info("Starting BQP listeners");
 		// Derive commitment
-		byte[] commitment = keyAgreementCrypto.deriveKeyCommitment(
-				localKeyPair.getPublic());
+		byte[] commitment = crypto.deriveKeyCommitment(
+				localKeyPair.getPublic().getEncoded());
 		// Start all listeners and collect their descriptors
 		List<TransportDescriptor> descriptors = new ArrayList<>();
 		for (DuplexPlugin plugin : pluginManager.getKeyAgreementPlugins()) {

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/KeyAgreementModule.java

@@ -2,7 +2,7 @@ package org.briarproject.bramble.keyagreement;
 
 import org.briarproject.bramble.api.data.BdfReaderFactory;
 import org.briarproject.bramble.api.data.BdfWriterFactory;
-import org.briarproject.bramble.api.keyagreement.KeyAgreementTask;
+import org.briarproject.bramble.api.keyagreement.KeyAgreementTaskFactory;
 import org.briarproject.bramble.api.keyagreement.PayloadEncoder;
 import org.briarproject.bramble.api.keyagreement.PayloadParser;
 
@@ -13,9 +13,9 @@ import dagger.Provides;
 public class KeyAgreementModule {
 
 	@Provides
-	KeyAgreementTask provideKeyAgreementTask(
-			KeyAgreementTaskImpl keyAgreementTask) {
-		return keyAgreementTask;
+	KeyAgreementTaskFactory provideKeyAgreementTaskFactory(
+			KeyAgreementTaskFactoryImpl keyAgreementTaskFactory) {
+		return keyAgreementTaskFactory;
 	}
 
 	@Provides

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/KeyAgreementProtocol.java

@@ -1,10 +1,7 @@
 package org.briarproject.bramble.keyagreement;
 
 import org.briarproject.bramble.api.crypto.CryptoComponent;
-import org.briarproject.bramble.api.crypto.KeyAgreementCrypto;
 import org.briarproject.bramble.api.crypto.KeyPair;
-import org.briarproject.bramble.api.crypto.KeyParser;
-import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.api.keyagreement.Payload;
 import org.briarproject.bramble.api.keyagreement.PayloadEncoder;
@@ -14,10 +11,6 @@ import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
 
-import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.MASTER_SECRET_LABEL;
-import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.PROTOCOL_VERSION;
-import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.SHARED_SECRET_LABEL;
-
 /**
  * Implementation of the BQP protocol.
  * <p/>
@@ -64,7 +57,6 @@ class KeyAgreementProtocol {
 
 	private final Callbacks callbacks;
 	private final CryptoComponent crypto;
-	private final KeyAgreementCrypto keyAgreementCrypto;
 	private final PayloadEncoder payloadEncoder;
 	private final KeyAgreementTransport transport;
 	private final Payload theirPayload, ourPayload;
@@ -72,13 +64,11 @@ class KeyAgreementProtocol {
 	private final boolean alice;
 
 	KeyAgreementProtocol(Callbacks callbacks, CryptoComponent crypto,
-			KeyAgreementCrypto keyAgreementCrypto,
 			PayloadEncoder payloadEncoder, KeyAgreementTransport transport,
 			Payload theirPayload, Payload ourPayload, KeyPair ourKeyPair,
 			boolean alice) {
 		this.callbacks = callbacks;
 		this.crypto = crypto;
-		this.keyAgreementCrypto = keyAgreementCrypto;
 		this.payloadEncoder = payloadEncoder;
 		this.transport = transport;
 		this.theirPayload = theirPayload;
@@ -96,7 +86,7 @@ class KeyAgreementProtocol {
 	 */
 	SecretKey perform() throws AbortException, IOException {
 		try {
-			PublicKey theirPublicKey;
+			byte[] theirPublicKey;
 			if (alice) {
 				sendKey();
 				// Alice waits here for Bob to scan her QR code, determine his
@@ -115,7 +105,7 @@ class KeyAgreementProtocol {
 				receiveConfirm(s, theirPublicKey);
 				sendConfirm(s, theirPublicKey);
 			}
-			return crypto.deriveKey(MASTER_SECRET_LABEL, s);
+			return crypto.deriveMasterSecret(s);
 		} catch (AbortException e) {
 			sendAbort(e.getCause() != null);
 			throw e;
@@ -126,41 +116,27 @@ class KeyAgreementProtocol {
 		transport.sendKey(ourKeyPair.getPublic().getEncoded());
 	}
 
-	private PublicKey receiveKey() throws AbortException {
-		byte[] publicKeyBytes = transport.receiveKey();
+	private byte[] receiveKey() throws AbortException {
+		byte[] publicKey = transport.receiveKey();
 		callbacks.initialRecordReceived();
-		KeyParser keyParser = crypto.getAgreementKeyParser();
-		try {
-			PublicKey publicKey = keyParser.parsePublicKey(publicKeyBytes);
-			byte[] expected = keyAgreementCrypto.deriveKeyCommitment(publicKey);
-			if (!Arrays.equals(expected, theirPayload.getCommitment()))
-				throw new AbortException();
-			return publicKey;
-		} catch (GeneralSecurityException e) {
+		byte[] expected = crypto.deriveKeyCommitment(publicKey);
+		if (!Arrays.equals(expected, theirPayload.getCommitment()))
 			throw new AbortException();
-		}
+		return publicKey;
 	}
 
-	private SecretKey deriveSharedSecret(PublicKey theirPublicKey)
+	private SecretKey deriveSharedSecret(byte[] theirPublicKey)
 			throws AbortException {
 		try {
-			byte[] ourPublicKeyBytes = ourKeyPair.getPublic().getEncoded();
-			byte[] theirPublicKeyBytes = theirPublicKey.getEncoded();
-			byte[][] inputs = {
-					new byte[] {PROTOCOL_VERSION},
-					alice ? ourPublicKeyBytes : theirPublicKeyBytes,
-					alice ? theirPublicKeyBytes : ourPublicKeyBytes
-			};
-			return crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
-					theirPublicKey, ourKeyPair, inputs);
+			return crypto.deriveSharedSecret(theirPublicKey, ourKeyPair, alice);
 		} catch (GeneralSecurityException e) {
 			throw new AbortException(e);
 		}
 	}
 
-	private void sendConfirm(SecretKey s, PublicKey theirPublicKey)
+	private void sendConfirm(SecretKey s, byte[] theirPublicKey)
 			throws IOException {
-		byte[] confirm = keyAgreementCrypto.deriveConfirmationRecord(s,
+		byte[] confirm = crypto.deriveConfirmationRecord(s,
 				payloadEncoder.encode(theirPayload),
 				payloadEncoder.encode(ourPayload),
 				theirPublicKey, ourKeyPair,
@@ -168,10 +144,10 @@ class KeyAgreementProtocol {
 		transport.sendConfirm(confirm);
 	}
 
-	private void receiveConfirm(SecretKey s, PublicKey theirPublicKey)
+	private void receiveConfirm(SecretKey s, byte[] theirPublicKey)
 			throws AbortException {
 		byte[] confirm = transport.receiveConfirm();
-		byte[] expected = keyAgreementCrypto.deriveConfirmationRecord(s,
+		byte[] expected = crypto.deriveConfirmationRecord(s,
 				payloadEncoder.encode(theirPayload),
 				payloadEncoder.encode(ourPayload),
 				theirPublicKey, ourKeyPair,

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/KeyAgreementTaskFactoryImpl.java

@@ -0,0 +1,41 @@
+package org.briarproject.bramble.keyagreement;
+
+import org.briarproject.bramble.api.crypto.CryptoComponent;
+import org.briarproject.bramble.api.event.EventBus;
+import org.briarproject.bramble.api.keyagreement.KeyAgreementTask;
+import org.briarproject.bramble.api.keyagreement.KeyAgreementTaskFactory;
+import org.briarproject.bramble.api.keyagreement.PayloadEncoder;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.plugin.PluginManager;
+
+import javax.annotation.concurrent.Immutable;
+import javax.inject.Inject;
+import javax.inject.Provider;
+
+@Immutable
+@NotNullByDefault
+class KeyAgreementTaskFactoryImpl implements KeyAgreementTaskFactory {
+
+	private final CryptoComponent crypto;
+	private final EventBus eventBus;
+	private final PayloadEncoder payloadEncoder;
+	private final PluginManager pluginManager;
+	private final Provider<ConnectionChooser> connectionChooserProvider;
+
+	@Inject
+	KeyAgreementTaskFactoryImpl(CryptoComponent crypto, EventBus eventBus,
+			PayloadEncoder payloadEncoder, PluginManager pluginManager,
+			Provider<ConnectionChooser> connectionChooserProvider) {
+		this.crypto = crypto;
+		this.eventBus = eventBus;
+		this.payloadEncoder = payloadEncoder;
+		this.pluginManager = pluginManager;
+		this.connectionChooserProvider = connectionChooserProvider;
+	}
+
+	@Override
+	public KeyAgreementTask createTask() {
+		return new KeyAgreementTaskImpl(crypto, eventBus, payloadEncoder,
+				pluginManager, connectionChooserProvider.get());
+	}
+}

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/KeyAgreementTaskImpl.java

@@ -1,7 +1,6 @@
 package org.briarproject.bramble.keyagreement;
 
 import org.briarproject.bramble.api.crypto.CryptoComponent;
-import org.briarproject.bramble.api.crypto.KeyAgreementCrypto;
 import org.briarproject.bramble.api.crypto.KeyPair;
 import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.api.event.EventBus;
@@ -22,8 +21,6 @@ import org.briarproject.bramble.api.plugin.PluginManager;
 import java.io.IOException;
 import java.util.logging.Logger;
 
-import javax.inject.Inject;
-
 import static java.util.logging.Level.WARNING;
 
 @MethodsNotNullByDefault
@@ -35,7 +32,6 @@ class KeyAgreementTaskImpl extends Thread implements KeyAgreementTask,
 			Logger.getLogger(KeyAgreementTaskImpl.class.getName());
 
 	private final CryptoComponent crypto;
-	private final KeyAgreementCrypto keyAgreementCrypto;
 	private final EventBus eventBus;
 	private final PayloadEncoder payloadEncoder;
 	private final KeyPair localKeyPair;
@@ -44,18 +40,15 @@ class KeyAgreementTaskImpl extends Thread implements KeyAgreementTask,
 	private Payload localPayload;
 	private Payload remotePayload;
 
-	@Inject
-	KeyAgreementTaskImpl(CryptoComponent crypto,
-			KeyAgreementCrypto keyAgreementCrypto, EventBus eventBus,
+	KeyAgreementTaskImpl(CryptoComponent crypto, EventBus eventBus,
 			PayloadEncoder payloadEncoder, PluginManager pluginManager,
 			ConnectionChooser connectionChooser) {
 		this.crypto = crypto;
-		this.keyAgreementCrypto = keyAgreementCrypto;
 		this.eventBus = eventBus;
 		this.payloadEncoder = payloadEncoder;
 		localKeyPair = crypto.generateAgreementKeyPair();
-		connector = new KeyAgreementConnector(this, keyAgreementCrypto,
-				pluginManager, connectionChooser);
+		connector = new KeyAgreementConnector(this, crypto, pluginManager,
+				connectionChooser);
 	}
 
 	@Override
@@ -102,8 +95,8 @@ class KeyAgreementTaskImpl extends Thread implements KeyAgreementTask,
 		// Run BQP protocol over the connection
 		LOG.info("Starting BQP protocol");
 		KeyAgreementProtocol protocol = new KeyAgreementProtocol(this, crypto,
-				keyAgreementCrypto, payloadEncoder, transport, remotePayload,
-				localPayload, localKeyPair, alice);
+				payloadEncoder, transport, remotePayload, localPayload,
+				localKeyPair, alice);
 		try {
 			SecretKey master = protocol.perform();
 			KeyAgreementResult result =

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/PayloadEncoderImpl.java

@@ -29,10 +29,10 @@ class PayloadEncoderImpl implements PayloadEncoder {
 	@Override
 	public byte[] encode(Payload p) {
 		ByteArrayOutputStream out = new ByteArrayOutputStream();
-		out.write(PROTOCOL_VERSION);
 		BdfWriter w = bdfWriterFactory.createWriter(out);
 		try {
 			w.writeListStart(); // Payload start
+			w.writeLong(PROTOCOL_VERSION);
 			w.writeRaw(p.getCommitment());
 			for (TransportDescriptor d : p.getTransportDescriptors())
 				w.writeList(d.getDescriptor());

bramble-core/src/main/java/org/briarproject/bramble/keyagreement/PayloadParserImpl.java

@@ -1,7 +1,6 @@
 package org.briarproject.bramble.keyagreement;
 
 import org.briarproject.bramble.api.FormatException;
-import org.briarproject.bramble.api.UnsupportedVersionException;
 import org.briarproject.bramble.api.data.BdfList;
 import org.briarproject.bramble.api.data.BdfReader;
 import org.briarproject.bramble.api.data.BdfReaderFactory;
@@ -40,22 +39,20 @@ class PayloadParserImpl implements PayloadParser {
 	@Override
 	public Payload parse(byte[] raw) throws IOException {
 		ByteArrayInputStream in = new ByteArrayInputStream(raw);
-		// First byte: the protocol version
-		int protocolVersion = in.read();
-		if (protocolVersion == -1) throw new FormatException();
-		if (protocolVersion != PROTOCOL_VERSION)
-			throw new UnsupportedVersionException();
-		// The rest of the payload is a BDF list with one or more elements
 		BdfReader r = bdfReaderFactory.createReader(in);
+		// The payload is a BDF list with two or more elements
 		BdfList payload = r.readList();
-		if (payload.isEmpty()) throw new FormatException();
+		if (payload.size() < 2) throw new FormatException();
 		if (!r.eof()) throw new FormatException();
-		// First element: the public key commitment
-		byte[] commitment = payload.getRaw(0);
+		// First element: the protocol version
+		long protocolVersion = payload.getLong(0);
+		if (protocolVersion != PROTOCOL_VERSION) throw new FormatException();
+		// Second element: the public key commitment
+		byte[] commitment = payload.getRaw(1);
 		if (commitment.length != COMMIT_LENGTH) throw new FormatException();
 		// Remaining elements: transport descriptors
 		List<TransportDescriptor> recognised = new ArrayList<>();
-		for (int i = 1; i < payload.size(); i++) {
+		for (int i = 2; i < payload.size(); i++) {
 			BdfList descriptor = payload.getList(i);
 			long transportId = descriptor.getLong(0);
 			if (transportId == TRANSPORT_ID_BLUETOOTH) {

bramble-core/src/main/java/org/briarproject/bramble/plugin/ConnectionRegistryImpl.java

@@ -1,6 +1,5 @@
 package org.briarproject.bramble.plugin;
 
-import org.briarproject.bramble.api.Multiset;
 import org.briarproject.bramble.api.contact.ContactId;
 import org.briarproject.bramble.api.event.EventBus;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
@@ -37,14 +36,14 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 	private final Lock lock = new ReentrantLock();
 
 	// The following are locking: lock
-	private final Map<TransportId, Multiset<ContactId>> connections;
-	private final Multiset<ContactId> contactCounts;
+	private final Map<TransportId, Map<ContactId, Integer>> connections;
+	private final Map<ContactId, Integer> contactCounts;
 
 	@Inject
 	ConnectionRegistryImpl(EventBus eventBus) {
 		this.eventBus = eventBus;
 		connections = new HashMap<>();
-		contactCounts = new Multiset<>();
+		contactCounts = new HashMap<>();
 	}
 
 	@Override
@@ -57,13 +56,21 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 		boolean firstConnection = false;
 		lock.lock();
 		try {
-			Multiset<ContactId> m = connections.get(t);
+			Map<ContactId, Integer> m = connections.get(t);
 			if (m == null) {
-				m = new Multiset<>();
+				m = new HashMap<>();
 				connections.put(t, m);
 			}
-			m.add(c);
-			if (contactCounts.add(c) == 1) firstConnection = true;
+			Integer count = m.get(c);
+			if (count == null) m.put(c, 1);
+			else m.put(c, count + 1);
+			count = contactCounts.get(c);
+			if (count == null) {
+				firstConnection = true;
+				contactCounts.put(c, 1);
+			} else {
+				contactCounts.put(c, count + 1);
+			}
 		} finally {
 			lock.unlock();
 		}
@@ -84,10 +91,23 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 		boolean lastConnection = false;
 		lock.lock();
 		try {
-			Multiset<ContactId> m = connections.get(t);
+			Map<ContactId, Integer> m = connections.get(t);
 			if (m == null) throw new IllegalArgumentException();
-			m.remove(c);
-			if (contactCounts.remove(c) == 0) lastConnection = true;
+			Integer count = m.remove(c);
+			if (count == null) throw new IllegalArgumentException();
+			if (count == 1) {
+				if (m.isEmpty()) connections.remove(t);
+			} else {
+				m.put(c, count - 1);
+			}
+			count = contactCounts.get(c);
+			if (count == null) throw new IllegalArgumentException();
+			if (count == 1) {
+				lastConnection = true;
+				contactCounts.remove(c);
+			} else {
+				contactCounts.put(c, count - 1);
+			}
 		} finally {
 			lock.unlock();
 		}
@@ -102,7 +122,7 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 	public Collection<ContactId> getConnectedContacts(TransportId t) {
 		lock.lock();
 		try {
-			Multiset<ContactId> m = connections.get(t);
+			Map<ContactId, Integer> m = connections.get(t);
 			if (m == null) return Collections.emptyList();
 			List<ContactId> ids = new ArrayList<>(m.keySet());
 			if (LOG.isLoggable(INFO))
@@ -117,8 +137,8 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 	public boolean isConnected(ContactId c, TransportId t) {
 		lock.lock();
 		try {
-			Multiset<ContactId> m = connections.get(t);
-			return m != null && m.contains(c);
+			Map<ContactId, Integer> m = connections.get(t);
+			return m != null && m.containsKey(c);
 		} finally {
 			lock.unlock();
 		}
@@ -128,7 +148,7 @@ class ConnectionRegistryImpl implements ConnectionRegistry {
 	public boolean isConnected(ContactId c) {
 		lock.lock();
 		try {
-			return contactCounts.contains(c);
+			return contactCounts.containsKey(c);
 		} finally {
 			lock.unlock();
 		}

bramble-core/src/main/java/org/briarproject/bramble/properties/PropertiesModule.java

@@ -46,7 +46,8 @@ public class PropertiesModule {
 		lifecycleManager.registerClient(transportPropertyManager);
 		validationManager.registerIncomingMessageHook(CLIENT_ID,
 				transportPropertyManager);
-		contactManager.registerContactHook(transportPropertyManager);
+		contactManager.registerAddContactHook(transportPropertyManager);
+		contactManager.registerRemoveContactHook(transportPropertyManager);
 		return transportPropertyManager;
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/properties/TransportPropertyManagerImpl.java

@@ -5,7 +5,8 @@ import org.briarproject.bramble.api.client.ClientHelper;
 import org.briarproject.bramble.api.client.ContactGroupFactory;
 import org.briarproject.bramble.api.contact.Contact;
 import org.briarproject.bramble.api.contact.ContactId;
-import org.briarproject.bramble.api.contact.ContactManager.ContactHook;
+import org.briarproject.bramble.api.contact.ContactManager.AddContactHook;
+import org.briarproject.bramble.api.contact.ContactManager.RemoveContactHook;
 import org.briarproject.bramble.api.data.BdfDictionary;
 import org.briarproject.bramble.api.data.BdfList;
 import org.briarproject.bramble.api.data.MetadataParser;
@@ -39,7 +40,7 @@ import static org.briarproject.bramble.api.sync.Group.Visibility.SHARED;
 @Immutable
 @NotNullByDefault
 class TransportPropertyManagerImpl implements TransportPropertyManager,
-		Client, ContactHook, IncomingMessageHook {
+		Client, AddContactHook, RemoveContactHook, IncomingMessageHook {
 
 	private final DatabaseComponent db;
 	private final ClientHelper clientHelper;
@@ -57,8 +58,7 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 		this.metadataParser = metadataParser;
 		this.contactGroupFactory = contactGroupFactory;
 		this.clock = clock;
-		localGroup = contactGroupFactory.createLocalGroup(CLIENT_ID,
-				CLIENT_VERSION);
+		localGroup = contactGroupFactory.createLocalGroup(CLIENT_ID);
 	}
 
 	@Override
@@ -130,7 +130,8 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 	public Map<TransportId, TransportProperties> getLocalProperties()
 			throws DbException {
 		Map<TransportId, TransportProperties> local;
-		Transaction txn = db.startTransaction(true);
+		// TODO: Transaction can be read-only when code is simplified
+		Transaction txn = db.startTransaction(false);
 		try {
 			local = getLocalProperties(txn);
 			db.commitTransaction(txn);
@@ -165,7 +166,8 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 			throws DbException {
 		try {
 			TransportProperties p = null;
-			Transaction txn = db.startTransaction(true);
+			// TODO: Transaction can be read-only when code is simplified
+			Transaction txn = db.startTransaction(false);
 			try {
 				// Find the latest local update
 				LatestUpdate latest = findLatest(txn, localGroup.getId(), t,
@@ -191,7 +193,8 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 	public Map<ContactId, TransportProperties> getRemoteProperties(
 			TransportId t) throws DbException {
 		Map<ContactId, TransportProperties> remote = new HashMap<>();
-		Transaction txn = db.startTransaction(true);
+		// TODO: Transaction can be read-only when code is simplified
+		Transaction txn = db.startTransaction(false);
 		try {
 			for (Contact c : db.getContacts(txn))
 				remote.put(c.getId(), getRemoteProperties(txn, c, t));
@@ -225,7 +228,8 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 	public TransportProperties getRemoteProperties(ContactId c, TransportId t)
 			throws DbException {
 		TransportProperties p;
-		Transaction txn = db.startTransaction(true);
+		// TODO: Transaction can be read-only when code is simplified
+		Transaction txn = db.startTransaction(false);
 		try {
 			p = getRemoteProperties(txn, db.getContact(txn, c), t);
 			db.commitTransaction(txn);
@@ -288,8 +292,7 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 	}
 
 	private Group getContactGroup(Contact c) {
-		return contactGroupFactory.createContactGroup(CLIENT_ID,
-				CLIENT_VERSION, c);
+		return contactGroupFactory.createContactGroup(CLIENT_ID, c);
 	}
 
 	private void storeMessage(Transaction txn, GroupId g, TransportId t,
@@ -316,6 +319,7 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 
 	private Map<TransportId, LatestUpdate> findLatestLocal(Transaction txn)
 			throws DbException, FormatException {
+		// TODO: This can be simplified before 1.0
 		Map<TransportId, LatestUpdate> latestUpdates = new HashMap<>();
 		Map<MessageId, BdfDictionary> metadata = clientHelper
 				.getMessageMetadataAsDictionary(txn, localGroup.getId());
@@ -323,7 +327,17 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 			BdfDictionary meta = e.getValue();
 			TransportId t = new TransportId(meta.getString("transportId"));
 			long version = meta.getLong("version");
-			latestUpdates.put(t, new LatestUpdate(e.getKey(), version));
+			LatestUpdate latest = latestUpdates.get(t);
+			if (latest == null) {
+				latestUpdates.put(t, new LatestUpdate(e.getKey(), version));
+			} else if (version > latest.version) {
+				// This update is newer - delete the previous one
+				db.removeMessage(txn, latest.messageId);
+				latestUpdates.put(t, new LatestUpdate(e.getKey(), version));
+			} else {
+				// We've already found a newer update - delete this one
+				db.removeMessage(txn, e.getKey());
+			}
 		}
 		return latestUpdates;
 	}
@@ -331,23 +345,48 @@ class TransportPropertyManagerImpl implements TransportPropertyManager,
 	@Nullable
 	private LatestUpdate findLatest(Transaction txn, GroupId g, TransportId t,
 			boolean local) throws DbException, FormatException {
+		// TODO: This can be simplified before 1.0
+		LatestUpdate latest = null;
 		Map<MessageId, BdfDictionary> metadata =
 				clientHelper.getMessageMetadataAsDictionary(txn, g);
 		for (Entry<MessageId, BdfDictionary> e : metadata.entrySet()) {
 			BdfDictionary meta = e.getValue();
 			if (meta.getString("transportId").equals(t.getString())
 					&& meta.getBoolean("local") == local) {
-				return new LatestUpdate(e.getKey(), meta.getLong("version"));
+				long version = meta.getLong("version");
+				if (latest == null) {
+					latest = new LatestUpdate(e.getKey(), version);
+				} else if (version > latest.version) {
+					// This update is newer - delete the previous one
+					if (local) {
+						db.removeMessage(txn, latest.messageId);
+					} else {
+						db.deleteMessage(txn, latest.messageId);
+						db.deleteMessageMetadata(txn, latest.messageId);
+					}
+					latest = new LatestUpdate(e.getKey(), version);
+				} else {
+					// We've already found a newer update - delete this one
+					if (local) {
+						db.removeMessage(txn, e.getKey());
+					} else {
+						db.deleteMessage(txn, e.getKey());
+						db.deleteMessageMetadata(txn, e.getKey());
+					}
+				}
 			}
 		}
-		return null;
+		return latest;
 	}
 
 	private TransportProperties parseProperties(BdfList message)
 			throws FormatException {
 		// Transport ID, version, properties
 		BdfDictionary dictionary = message.getDictionary(2);
-		return clientHelper.parseAndValidateTransportProperties(dictionary);
+		TransportProperties p = new TransportProperties();
+		for (String key : dictionary.keySet())
+			p.put(key, dictionary.getString(key));
+		return p;
 	}
 
 	private static class LatestUpdate {

bramble-core/src/main/java/org/briarproject/bramble/properties/TransportPropertyValidator.java

@@ -15,6 +15,8 @@ import org.briarproject.bramble.api.system.Clock;
 import javax.annotation.concurrent.Immutable;
 
 import static org.briarproject.bramble.api.plugin.TransportId.MAX_TRANSPORT_ID_LENGTH;
+import static org.briarproject.bramble.api.properties.TransportPropertyConstants.MAX_PROPERTIES_PER_TRANSPORT;
+import static org.briarproject.bramble.api.properties.TransportPropertyConstants.MAX_PROPERTY_LENGTH;
 import static org.briarproject.bramble.util.ValidationUtils.checkLength;
 import static org.briarproject.bramble.util.ValidationUtils.checkSize;
 
@@ -40,7 +42,12 @@ class TransportPropertyValidator extends BdfMessageValidator {
 		if (version < 0) throw new FormatException();
 		// Properties
 		BdfDictionary dictionary = body.getDictionary(2);
-		clientHelper.parseAndValidateTransportProperties(dictionary);
+		checkSize(dictionary, 0, MAX_PROPERTIES_PER_TRANSPORT);
+		for (String key : dictionary.keySet()) {
+			checkLength(key, 0, MAX_PROPERTY_LENGTH);
+			String value = dictionary.getString(key);
+			checkLength(value, 0, MAX_PROPERTY_LENGTH);
+		}
 		// Return the metadata
 		BdfDictionary meta = new BdfDictionary();
 		meta.put("transportId", transportId);

bramble-core/src/main/java/org/briarproject/bramble/sync/GroupFactoryImpl.java

@@ -6,16 +6,11 @@ import org.briarproject.bramble.api.sync.ClientId;
 import org.briarproject.bramble.api.sync.Group;
 import org.briarproject.bramble.api.sync.GroupFactory;
 import org.briarproject.bramble.api.sync.GroupId;
-import org.briarproject.bramble.util.ByteUtils;
 import org.briarproject.bramble.util.StringUtils;
 
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
 
-import static org.briarproject.bramble.api.sync.Group.FORMAT_VERSION;
-import static org.briarproject.bramble.api.sync.GroupId.LABEL;
-import static org.briarproject.bramble.util.ByteUtils.INT_32_BYTES;
-
 @Immutable
 @NotNullByDefault
 class GroupFactoryImpl implements GroupFactory {
@@ -28,12 +23,9 @@ class GroupFactoryImpl implements GroupFactory {
 	}
 
 	@Override
-	public Group createGroup(ClientId c, int clientVersion, byte[] descriptor) {
-		byte[] clientVersionBytes = new byte[INT_32_BYTES];
-		ByteUtils.writeUint32(clientVersion, clientVersionBytes, 0);
-		byte[] hash = crypto.hash(LABEL, new byte[] {FORMAT_VERSION},
-				StringUtils.toUtf8(c.getString()), clientVersionBytes,
-				descriptor);
+	public Group createGroup(ClientId c, byte[] descriptor) {
+		byte[] hash = crypto.hash(GroupId.LABEL,
+				StringUtils.toUtf8(c.getString()), descriptor);
 		return new Group(new GroupId(hash), c, descriptor);
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/sync/MessageFactoryImpl.java

@@ -12,12 +12,8 @@ import org.briarproject.bramble.util.ByteUtils;
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
 
-import static org.briarproject.bramble.api.sync.Message.FORMAT_VERSION;
-import static org.briarproject.bramble.api.sync.MessageId.BLOCK_LABEL;
-import static org.briarproject.bramble.api.sync.MessageId.ID_LABEL;
 import static org.briarproject.bramble.api.sync.SyncConstants.MAX_MESSAGE_BODY_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MESSAGE_HEADER_LENGTH;
-import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
 
 @Immutable
 @NotNullByDefault
@@ -34,13 +30,10 @@ class MessageFactoryImpl implements MessageFactory {
 	public Message createMessage(GroupId g, long timestamp, byte[] body) {
 		if (body.length > MAX_MESSAGE_BODY_LENGTH)
 			throw new IllegalArgumentException();
-		byte[] versionBytes = new byte[] {FORMAT_VERSION};
-		// There's only one block, so the root hash is the hash of the block
-		byte[] rootHash = crypto.hash(BLOCK_LABEL, versionBytes, body);
-		byte[] timeBytes = new byte[INT_64_BYTES];
+		byte[] timeBytes = new byte[ByteUtils.INT_64_BYTES];
 		ByteUtils.writeUint64(timestamp, timeBytes, 0);
-		byte[] idHash = crypto.hash(ID_LABEL, versionBytes, g.getBytes(),
-				timeBytes, rootHash);
+		byte[] idHash =
+				crypto.hash(MessageId.LABEL, g.getBytes(), timeBytes, body);
 		MessageId id = new MessageId(idHash);
 		byte[] raw = new byte[MESSAGE_HEADER_LENGTH + body.length];
 		System.arraycopy(g.getBytes(), 0, raw, 0, UniqueId.LENGTH);

bramble-core/src/main/java/org/briarproject/bramble/transport/KeyManagerImpl.java

@@ -19,7 +19,6 @@ import org.briarproject.bramble.api.plugin.TransportId;
 import org.briarproject.bramble.api.plugin.duplex.DuplexPluginFactory;
 import org.briarproject.bramble.api.plugin.simplex.SimplexPluginFactory;
 import org.briarproject.bramble.api.transport.KeyManager;
-import org.briarproject.bramble.api.transport.KeySetId;
 import org.briarproject.bramble.api.transport.StreamContext;
 
 import java.util.HashMap;
@@ -105,67 +104,6 @@ class KeyManagerImpl implements KeyManager, Service, EventListener {
 			m.addContact(txn, c, master, timestamp, alice);
 	}
 
-	@Override
-	public Map<TransportId, KeySetId> addUnboundKeys(Transaction txn,
-			SecretKey master, long timestamp, boolean alice)
-			throws DbException {
-		Map<TransportId, KeySetId> ids = new HashMap<>();
-		for (Entry<TransportId, TransportKeyManager> e : managers.entrySet()) {
-			TransportId t = e.getKey();
-			TransportKeyManager m = e.getValue();
-			ids.put(t, m.addUnboundKeys(txn, master, timestamp, alice));
-		}
-		return ids;
-	}
-
-	@Override
-	public void bindKeys(Transaction txn, ContactId c,
-			Map<TransportId, KeySetId> keys) throws DbException {
-		for (Entry<TransportId, KeySetId> e : keys.entrySet()) {
-			TransportId t = e.getKey();
-			TransportKeyManager m = managers.get(t);
-			if (m == null) {
-				if (LOG.isLoggable(INFO)) LOG.info("No key manager for " + t);
-			} else {
-				m.bindKeys(txn, c, e.getValue());
-			}
-		}
-	}
-
-	@Override
-	public void activateKeys(Transaction txn, Map<TransportId, KeySetId> keys)
-			throws DbException {
-		for (Entry<TransportId, KeySetId> e : keys.entrySet()) {
-			TransportId t = e.getKey();
-			TransportKeyManager m = managers.get(t);
-			if (m == null) {
-				if (LOG.isLoggable(INFO)) LOG.info("No key manager for " + t);
-			} else {
-				m.activateKeys(txn, e.getValue());
-			}
-		}
-	}
-
-	@Override
-	public void removeKeys(Transaction txn, Map<TransportId, KeySetId> keys)
-			throws DbException {
-		for (Entry<TransportId, KeySetId> e : keys.entrySet()) {
-			TransportId t = e.getKey();
-			TransportKeyManager m = managers.get(t);
-			if (m == null) {
-				if (LOG.isLoggable(INFO)) LOG.info("No key manager for " + t);
-			} else {
-				m.removeKeys(txn, e.getValue());
-			}
-		}
-	}
-
-	@Override
-	public boolean canSendOutgoingStreams(ContactId c, TransportId t) {
-		TransportKeyManager m = managers.get(t);
-		return m == null ? false : m.canSendOutgoingStreams(c);
-	}
-
 	@Override
 	public StreamContext getStreamContext(ContactId c, TransportId t)
 			throws DbException {
@@ -176,7 +114,7 @@ class KeyManagerImpl implements KeyManager, Service, EventListener {
 			if (LOG.isLoggable(INFO)) LOG.info("No key manager for " + t);
 			return null;
 		}
-		StreamContext ctx;
+		StreamContext ctx = null;
 		Transaction txn = db.startTransaction(false);
 		try {
 			ctx = m.getStreamContext(txn, c);
@@ -195,7 +133,7 @@ class KeyManagerImpl implements KeyManager, Service, EventListener {
 			if (LOG.isLoggable(INFO)) LOG.info("No key manager for " + t);
 			return null;
 		}
-		StreamContext ctx;
+		StreamContext ctx = null;
 		Transaction txn = db.startTransaction(false);
 		try {
 			ctx = m.getStreamContext(txn, tag);

bramble-core/src/main/java/org/briarproject/bramble/transport/MutableKeySet.java

@@ -1,34 +0,0 @@
-package org.briarproject.bramble.transport;
-
-import org.briarproject.bramble.api.contact.ContactId;
-import org.briarproject.bramble.api.transport.KeySetId;
-
-import javax.annotation.Nullable;
-
-public class MutableKeySet {
-
-	private final KeySetId keySetId;
-	@Nullable
-	private final ContactId contactId;
-	private final MutableTransportKeys transportKeys;
-
-	public MutableKeySet(KeySetId keySetId, @Nullable ContactId contactId,
-			MutableTransportKeys transportKeys) {
-		this.keySetId = keySetId;
-		this.contactId = contactId;
-		this.transportKeys = transportKeys;
-	}
-
-	public KeySetId getKeySetId() {
-		return keySetId;
-	}
-
-	@Nullable
-	public ContactId getContactId() {
-		return contactId;
-	}
-
-	public MutableTransportKeys getTransportKeys() {
-		return transportKeys;
-	}
-}

bramble-core/src/main/java/org/briarproject/bramble/transport/MutableOutgoingKeys.java

@@ -13,19 +13,17 @@ class MutableOutgoingKeys {
 	private final SecretKey tagKey, headerKey;
 	private final long rotationPeriod;
 	private long streamCounter;
-	private boolean active;
 
 	MutableOutgoingKeys(OutgoingKeys out) {
 		tagKey = out.getTagKey();
 		headerKey = out.getHeaderKey();
 		rotationPeriod = out.getRotationPeriod();
 		streamCounter = out.getStreamCounter();
-		active = out.isActive();
 	}
 
 	OutgoingKeys snapshot() {
 		return new OutgoingKeys(tagKey, headerKey, rotationPeriod,
-				streamCounter, active);
+				streamCounter);
 	}
 
 	SecretKey getTagKey() {
@@ -47,12 +45,4 @@ class MutableOutgoingKeys {
 	void incrementStreamCounter() {
 		streamCounter++;
 	}
-
-	boolean isActive() {
-		return active;
-	}
-
-	void activate() {
-		active = true;
-	}
 }

bramble-core/src/main/java/org/briarproject/bramble/transport/TransportKeyManager.java

@@ -5,7 +5,6 @@ import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.transport.KeySetId;
 import org.briarproject.bramble.api.transport.StreamContext;
 
 import javax.annotation.Nullable;
@@ -18,19 +17,8 @@ interface TransportKeyManager {
 	void addContact(Transaction txn, ContactId c, SecretKey master,
 			long timestamp, boolean alice) throws DbException;
 
-	KeySetId addUnboundKeys(Transaction txn, SecretKey master, long timestamp,
-			boolean alice) throws DbException;
-
-	void bindKeys(Transaction txn, ContactId c, KeySetId k) throws DbException;
-
-	void activateKeys(Transaction txn, KeySetId k) throws DbException;
-
-	void removeKeys(Transaction txn, KeySetId k) throws DbException;
-
 	void removeContact(ContactId c);
 
-	boolean canSendOutgoingStreams(ContactId c);
-
 	@Nullable
 	StreamContext getStreamContext(Transaction txn, ContactId c)
 			throws DbException;

bramble-core/src/main/java/org/briarproject/bramble/transport/TransportKeyManagerFactoryImpl.java

@@ -1,6 +1,6 @@
 package org.briarproject.bramble.transport;
 
-import org.briarproject.bramble.api.crypto.TransportCrypto;
+import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.db.DatabaseComponent;
 import org.briarproject.bramble.api.db.DatabaseExecutor;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
@@ -20,18 +20,17 @@ class TransportKeyManagerFactoryImpl implements
 		TransportKeyManagerFactory {
 
 	private final DatabaseComponent db;
-	private final TransportCrypto transportCrypto;
+	private final CryptoComponent crypto;
 	private final Executor dbExecutor;
 	private final ScheduledExecutorService scheduler;
 	private final Clock clock;
 
 	@Inject
-	TransportKeyManagerFactoryImpl(DatabaseComponent db,
-			TransportCrypto transportCrypto,
+	TransportKeyManagerFactoryImpl(DatabaseComponent db, CryptoComponent crypto,
 			@DatabaseExecutor Executor dbExecutor,
 			@Scheduler ScheduledExecutorService scheduler, Clock clock) {
 		this.db = db;
-		this.transportCrypto = transportCrypto;
+		this.crypto = crypto;
 		this.dbExecutor = dbExecutor;
 		this.scheduler = scheduler;
 		this.clock = clock;
@@ -40,8 +39,8 @@ class TransportKeyManagerFactoryImpl implements
 	@Override
 	public TransportKeyManager createTransportKeyManager(
 			TransportId transportId, long maxLatency) {
-		return new TransportKeyManagerImpl(db, transportCrypto, dbExecutor,
-				scheduler, clock, transportId, maxLatency);
+		return new TransportKeyManagerImpl(db, crypto, dbExecutor, scheduler,
+				clock, transportId, maxLatency);
 	}
 
 }

bramble-core/src/main/java/org/briarproject/bramble/transport/TransportKeyManagerImpl.java

@@ -2,8 +2,8 @@ package org.briarproject.bramble.transport;
 
 import org.briarproject.bramble.api.Bytes;
 import org.briarproject.bramble.api.contact.ContactId;
+import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.SecretKey;
-import org.briarproject.bramble.api.crypto.TransportCrypto;
 import org.briarproject.bramble.api.db.DatabaseComponent;
 import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
@@ -11,24 +11,19 @@ import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 import org.briarproject.bramble.api.plugin.TransportId;
 import org.briarproject.bramble.api.system.Clock;
 import org.briarproject.bramble.api.system.Scheduler;
-import org.briarproject.bramble.api.transport.KeySet;
-import org.briarproject.bramble.api.transport.KeySetId;
 import org.briarproject.bramble.api.transport.StreamContext;
 import org.briarproject.bramble.api.transport.TransportKeys;
 import org.briarproject.bramble.transport.ReorderingWindow.Change;
 
-import java.util.ArrayList;
-import java.util.Collection;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.logging.Logger;
 
-import javax.annotation.Nullable;
 import javax.annotation.concurrent.ThreadSafe;
 
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
@@ -46,41 +41,43 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 			Logger.getLogger(TransportKeyManagerImpl.class.getName());
 
 	private final DatabaseComponent db;
-	private final TransportCrypto transportCrypto;
+	private final CryptoComponent crypto;
 	private final Executor dbExecutor;
 	private final ScheduledExecutorService scheduler;
 	private final Clock clock;
 	private final TransportId transportId;
 	private final long rotationPeriodLength;
-	private final AtomicBoolean used = new AtomicBoolean(false);
-	private final ReentrantLock lock = new ReentrantLock();
+	private final ReentrantLock lock;
 
 	// The following are locking: lock
-	private final Map<KeySetId, MutableKeySet> keys = new HashMap<>();
-	private final Map<Bytes, TagContext> inContexts = new HashMap<>();
-	private final Map<ContactId, MutableKeySet> outContexts = new HashMap<>();
+	private final Map<Bytes, TagContext> inContexts;
+	private final Map<ContactId, MutableOutgoingKeys> outContexts;
+	private final Map<ContactId, MutableTransportKeys> keys;
 
-	TransportKeyManagerImpl(DatabaseComponent db,
-			TransportCrypto transportCrypto, Executor dbExecutor,
-			@Scheduler ScheduledExecutorService scheduler, Clock clock,
-			TransportId transportId, long maxLatency) {
+	TransportKeyManagerImpl(DatabaseComponent db, CryptoComponent crypto,
+			Executor dbExecutor, @Scheduler ScheduledExecutorService scheduler,
+			Clock clock, TransportId transportId, long maxLatency) {
 		this.db = db;
-		this.transportCrypto = transportCrypto;
+		this.crypto = crypto;
 		this.dbExecutor = dbExecutor;
 		this.scheduler = scheduler;
 		this.clock = clock;
 		this.transportId = transportId;
 		rotationPeriodLength = maxLatency + MAX_CLOCK_DIFFERENCE;
+		lock = new ReentrantLock();
+		inContexts = new HashMap<>();
+		outContexts = new HashMap<>();
+		keys = new HashMap<>();
 	}
 
 	@Override
 	public void start(Transaction txn) throws DbException {
-		if (used.getAndSet(true)) throw new IllegalStateException();
 		long now = clock.currentTimeMillis();
 		lock.lock();
 		try {
 			// Load the transport keys from the DB
-			Collection<KeySet> loaded = db.getTransportKeys(txn, transportId);
+			Map<ContactId, TransportKeys> loaded =
+					db.getTransportKeys(txn, transportId);
 			// Rotate the keys to the current rotation period
 			RotationResult rotationResult = rotateKeys(loaded, now);
 			// Initialise mutable state for all contacts
@@ -95,66 +92,47 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 		scheduleKeyRotation(now);
 	}
 
-	private RotationResult rotateKeys(Collection<KeySet> keys, long now) {
+	private RotationResult rotateKeys(Map<ContactId, TransportKeys> keys,
+			long now) {
 		RotationResult rotationResult = new RotationResult();
 		long rotationPeriod = now / rotationPeriodLength;
-		for (KeySet ks : keys) {
-			TransportKeys k = ks.getTransportKeys();
-			TransportKeys k1 =
-					transportCrypto.rotateTransportKeys(k, rotationPeriod);
-			KeySet ks1 = new KeySet(ks.getKeySetId(), ks.getContactId(), k1);
+		for (Entry<ContactId, TransportKeys> e : keys.entrySet()) {
+			ContactId c = e.getKey();
+			TransportKeys k = e.getValue();
+			TransportKeys k1 = crypto.rotateTransportKeys(k, rotationPeriod);
 			if (k1.getRotationPeriod() > k.getRotationPeriod())
-				rotationResult.rotated.add(ks1);
-			rotationResult.current.add(ks1);
+				rotationResult.rotated.put(c, k1);
+			rotationResult.current.put(c, k1);
 		}
 		return rotationResult;
 	}
 
 	// Locking: lock
-	private void addKeys(Collection<KeySet> keys) {
-		for (KeySet ks : keys) {
-			addKeys(ks.getKeySetId(), ks.getContactId(),
-					new MutableTransportKeys(ks.getTransportKeys()));
-		}
+	private void addKeys(Map<ContactId, TransportKeys> m) {
+		for (Entry<ContactId, TransportKeys> e : m.entrySet())
+			addKeys(e.getKey(), new MutableTransportKeys(e.getValue()));
 	}
 
 	// Locking: lock
-	private void addKeys(KeySetId keySetId, @Nullable ContactId contactId,
-			MutableTransportKeys m) {
-		MutableKeySet ks = new MutableKeySet(keySetId, contactId, m);
-		keys.put(keySetId, ks);
-		if (contactId != null) {
-			encodeTags(keySetId, contactId, m.getPreviousIncomingKeys());
-			encodeTags(keySetId, contactId, m.getCurrentIncomingKeys());
-			encodeTags(keySetId, contactId, m.getNextIncomingKeys());
-			considerReplacingOutgoingKeys(ks);
-		}
+	private void addKeys(ContactId c, MutableTransportKeys m) {
+		encodeTags(c, m.getPreviousIncomingKeys());
+		encodeTags(c, m.getCurrentIncomingKeys());
+		encodeTags(c, m.getNextIncomingKeys());
+		outContexts.put(c, m.getCurrentOutgoingKeys());
+		keys.put(c, m);
 	}
 
 	// Locking: lock
-	private void encodeTags(KeySetId keySetId, ContactId contactId,
-			MutableIncomingKeys inKeys) {
+	private void encodeTags(ContactId c, MutableIncomingKeys inKeys) {
 		for (long streamNumber : inKeys.getWindow().getUnseen()) {
-			TagContext tagCtx =
-					new TagContext(keySetId, contactId, inKeys, streamNumber);
+			TagContext tagCtx = new TagContext(c, inKeys, streamNumber);
 			byte[] tag = new byte[TAG_LENGTH];
-			transportCrypto.encodeTag(tag, inKeys.getTagKey(), PROTOCOL_VERSION,
+			crypto.encodeTag(tag, inKeys.getTagKey(), PROTOCOL_VERSION,
 					streamNumber);
 			inContexts.put(new Bytes(tag), tagCtx);
 		}
 	}
 
-	// Locking: lock
-	private void considerReplacingOutgoingKeys(MutableKeySet ks) {
-		// Use the active outgoing keys with the highest key set ID
-		if (ks.getTransportKeys().getCurrentOutgoingKeys().isActive()) {
-			MutableKeySet old = outContexts.get(ks.getContactId());
-			if (old == null ||
-					old.getKeySetId().getInt() < ks.getKeySetId().getInt())
-				outContexts.put(ks.getContactId(), ks);
-		}
-	}
-
 	private void scheduleKeyRotation(long now) {
 		long delay = rotationPeriodLength - now % rotationPeriodLength;
 		scheduler.schedule((Runnable) this::rotateKeys, delay, MILLISECONDS);
@@ -179,82 +157,20 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 	@Override
 	public void addContact(Transaction txn, ContactId c, SecretKey master,
 			long timestamp, boolean alice) throws DbException {
-		deriveAndAddKeys(txn, c, master, timestamp, alice, true);
-	}
-
-	@Override
-	public KeySetId addUnboundKeys(Transaction txn, SecretKey master,
-			long timestamp, boolean alice) throws DbException {
-		return deriveAndAddKeys(txn, null, master, timestamp, alice, false);
-	}
-
-	private KeySetId deriveAndAddKeys(Transaction txn, @Nullable ContactId c,
-			SecretKey master, long timestamp, boolean alice, boolean active)
-			throws DbException {
 		lock.lock();
 		try {
 			// Work out what rotation period the timestamp belongs to
 			long rotationPeriod = timestamp / rotationPeriodLength;
 			// Derive the transport keys
-			TransportKeys k = transportCrypto.deriveTransportKeys(transportId,
-					master, rotationPeriod, alice, active);
+			TransportKeys k = crypto.deriveTransportKeys(transportId, master,
+					rotationPeriod, alice);
 			// Rotate the keys to the current rotation period if necessary
 			rotationPeriod = clock.currentTimeMillis() / rotationPeriodLength;
-			k = transportCrypto.rotateTransportKeys(k, rotationPeriod);
-			// Write the keys back to the DB
-			KeySetId keySetId = db.addTransportKeys(txn, c, k);
+			k = crypto.rotateTransportKeys(k, rotationPeriod);
 			// Initialise mutable state for the contact
-			addKeys(keySetId, c, new MutableTransportKeys(k));
-			return keySetId;
-		} finally {
-			lock.unlock();
-		}
-	}
-
-	@Override
-	public void bindKeys(Transaction txn, ContactId c, KeySetId k)
-			throws DbException {
-		lock.lock();
-		try {
-			MutableKeySet ks = keys.get(k);
-			if (ks == null) throw new IllegalArgumentException();
-			// Check that the keys haven't already been bound
-			if (ks.getContactId() != null) throw new IllegalArgumentException();
-			MutableTransportKeys m = ks.getTransportKeys();
-			addKeys(k, c, m);
-			db.bindTransportKeys(txn, c, m.getTransportId(), k);
-		} finally {
-			lock.unlock();
-		}
-	}
-
-	@Override
-	public void activateKeys(Transaction txn, KeySetId k) throws DbException {
-		lock.lock();
-		try {
-			MutableKeySet ks = keys.get(k);
-			if (ks == null) throw new IllegalArgumentException();
-			// Check that the keys have been bound
-			if (ks.getContactId() == null) throw new IllegalArgumentException();
-			MutableTransportKeys m = ks.getTransportKeys();
-			m.getCurrentOutgoingKeys().activate();
-			considerReplacingOutgoingKeys(ks);
-			db.setTransportKeysActive(txn, m.getTransportId(), k);
-		} finally {
-			lock.unlock();
-		}
-	}
-
-	@Override
-	public void removeKeys(Transaction txn, KeySetId k) throws DbException {
-		lock.lock();
-		try {
-			MutableKeySet ks = keys.remove(k);
-			if (ks == null) throw new IllegalArgumentException();
-			// Check that the keys haven't been bound
-			if (ks.getContactId() != null) throw new IllegalArgumentException();
-			TransportId t = ks.getTransportKeys().getTransportId();
-			db.removeTransportKeys(txn, t, k);
+			addKeys(c, new MutableTransportKeys(k));
+			// Write the keys back to the DB
+			db.addTransportKeys(txn, c, k);
 		} finally {
 			lock.unlock();
 		}
@@ -265,29 +181,12 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 		lock.lock();
 		try {
 			// Remove mutable state for the contact
-			Iterator<TagContext> it = inContexts.values().iterator();
-			while (it.hasNext()) if (it.next().contactId.equals(c)) it.remove();
+			Iterator<Entry<Bytes, TagContext>> it =
+					inContexts.entrySet().iterator();
+			while (it.hasNext())
+				if (it.next().getValue().contactId.equals(c)) it.remove();
 			outContexts.remove(c);
-			Iterator<MutableKeySet> it1 = keys.values().iterator();
-			while (it1.hasNext()) {
-				ContactId c1 = it1.next().getContactId();
-				if (c1 != null && c1.equals(c)) it1.remove();
-			}
-		} finally {
-			lock.unlock();
-		}
-	}
-
-	@Override
-	public boolean canSendOutgoingStreams(ContactId c) {
-		lock.lock();
-		try {
-			MutableKeySet ks = outContexts.get(c);
-			if (ks == null) return false;
-			MutableOutgoingKeys outKeys =
-					ks.getTransportKeys().getCurrentOutgoingKeys();
-			if (!outKeys.isActive()) throw new AssertionError();
-			return outKeys.getStreamCounter() <= MAX_32_BIT_UNSIGNED;
+			keys.remove(c);
 		} finally {
 			lock.unlock();
 		}
@@ -299,11 +198,8 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 		lock.lock();
 		try {
 			// Look up the outgoing keys for the contact
-			MutableKeySet ks = outContexts.get(c);
-			if (ks == null) return null;
-			MutableOutgoingKeys outKeys =
-					ks.getTransportKeys().getCurrentOutgoingKeys();
-			if (!outKeys.isActive()) throw new AssertionError();
+			MutableOutgoingKeys outKeys = outContexts.get(c);
+			if (outKeys == null) return null;
 			if (outKeys.getStreamCounter() > MAX_32_BIT_UNSIGNED) return null;
 			// Create a stream context
 			StreamContext ctx = new StreamContext(c, transportId,
@@ -311,7 +207,8 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 					outKeys.getStreamCounter());
 			// Increment the stream counter and write it back to the DB
 			outKeys.incrementStreamCounter();
-			db.incrementStreamCounter(txn, transportId, ks.getKeySetId());
+			db.incrementStreamCounter(txn, c, transportId,
+					outKeys.getRotationPeriod());
 			return ctx;
 		} finally {
 			lock.unlock();
@@ -337,34 +234,23 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 			// Add tags for any stream numbers added to the window
 			for (long streamNumber : change.getAdded()) {
 				byte[] addTag = new byte[TAG_LENGTH];
-				transportCrypto.encodeTag(addTag, inKeys.getTagKey(),
-						PROTOCOL_VERSION, streamNumber);
-				TagContext tagCtx1 = new TagContext(tagCtx.keySetId,
-						tagCtx.contactId, inKeys, streamNumber);
-				inContexts.put(new Bytes(addTag), tagCtx1);
+				crypto.encodeTag(addTag, inKeys.getTagKey(), PROTOCOL_VERSION,
+						streamNumber);
+				inContexts.put(new Bytes(addTag), new TagContext(
+						tagCtx.contactId, inKeys, streamNumber));
 			}
 			// Remove tags for any stream numbers removed from the window
 			for (long streamNumber : change.getRemoved()) {
 				if (streamNumber == tagCtx.streamNumber) continue;
 				byte[] removeTag = new byte[TAG_LENGTH];
-				transportCrypto.encodeTag(removeTag, inKeys.getTagKey(),
+				crypto.encodeTag(removeTag, inKeys.getTagKey(),
 						PROTOCOL_VERSION, streamNumber);
 				inContexts.remove(new Bytes(removeTag));
 			}
 			// Write the window back to the DB
-			db.setReorderingWindow(txn, tagCtx.keySetId, transportId,
+			db.setReorderingWindow(txn, tagCtx.contactId, transportId,
 					inKeys.getRotationPeriod(), window.getBase(),
 					window.getBitmap());
-			// If the outgoing keys are inactive, activate them
-			MutableKeySet ks = keys.get(tagCtx.keySetId);
-			MutableOutgoingKeys outKeys =
-					ks.getTransportKeys().getCurrentOutgoingKeys();
-			if (!outKeys.isActive()) {
-				LOG.info("Activating outgoing keys");
-				outKeys.activate();
-				considerReplacingOutgoingKeys(ks);
-				db.setTransportKeysActive(txn, transportId, tagCtx.keySetId);
-			}
 			return ctx;
 		} finally {
 			lock.unlock();
@@ -376,11 +262,9 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 		lock.lock();
 		try {
 			// Rotate the keys to the current rotation period
-			Collection<KeySet> snapshot = new ArrayList<>(keys.size());
-			for (MutableKeySet ks : keys.values()) {
-				snapshot.add(new KeySet(ks.getKeySetId(), ks.getContactId(),
-						ks.getTransportKeys().snapshot()));
-			}
+			Map<ContactId, TransportKeys> snapshot = new HashMap<>();
+			for (Entry<ContactId, MutableTransportKeys> e : keys.entrySet())
+				snapshot.put(e.getKey(), e.getValue().snapshot());
 			RotationResult rotationResult = rotateKeys(snapshot, now);
 			// Rebuild the mutable state for all contacts
 			inContexts.clear();
@@ -399,14 +283,12 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 
 	private static class TagContext {
 
-		private final KeySetId keySetId;
 		private final ContactId contactId;
 		private final MutableIncomingKeys inKeys;
 		private final long streamNumber;
 
-		private TagContext(KeySetId keySetId, ContactId contactId,
-				MutableIncomingKeys inKeys, long streamNumber) {
-			this.keySetId = keySetId;
+		private TagContext(ContactId contactId, MutableIncomingKeys inKeys,
+				long streamNumber) {
 			this.contactId = contactId;
 			this.inKeys = inKeys;
 			this.streamNumber = streamNumber;
@@ -415,7 +297,11 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 
 	private static class RotationResult {
 
-		private final Collection<KeySet> current = new ArrayList<>();
-		private final Collection<KeySet> rotated = new ArrayList<>();
+		private final Map<ContactId, TransportKeys> current, rotated;
+
+		private RotationResult() {
+			current = new HashMap<>();
+			rotated = new HashMap<>();
+		}
 	}
 }

bramble-core/src/test/java/org/briarproject/bramble/client/ClientHelperImplTest.java

@@ -15,8 +15,6 @@ import org.briarproject.bramble.api.data.MetadataParser;
 import org.briarproject.bramble.api.db.DatabaseComponent;
 import org.briarproject.bramble.api.db.Metadata;
 import org.briarproject.bramble.api.db.Transaction;
-import org.briarproject.bramble.api.identity.Author;
-import org.briarproject.bramble.api.identity.AuthorFactory;
 import org.briarproject.bramble.api.sync.GroupId;
 import org.briarproject.bramble.api.sync.Message;
 import org.briarproject.bramble.api.sync.MessageFactory;
@@ -33,15 +31,9 @@ import java.security.GeneralSecurityException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Random;
 
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
-import static org.briarproject.bramble.test.TestUtils.getAuthor;
 import static org.briarproject.bramble.test.TestUtils.getRandomBytes;
 import static org.briarproject.bramble.test.TestUtils.getRandomId;
-import static org.briarproject.bramble.util.StringUtils.getRandomString;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
@@ -62,8 +54,7 @@ public class ClientHelperImplTest extends BrambleTestCase {
 			context.mock(MetadataEncoder.class);
 	private final CryptoComponent cryptoComponent =
 			context.mock(CryptoComponent.class);
-	private final AuthorFactory authorFactory =
-			context.mock(AuthorFactory.class);
+	private final ClientHelper clientHelper;
 
 	private final GroupId groupId = new GroupId(getRandomId());
 	private final BdfDictionary dictionary = new BdfDictionary();
@@ -75,15 +66,17 @@ public class ClientHelperImplTest extends BrambleTestCase {
 	private final Metadata metadata = new Metadata();
 	private final BdfList list = BdfList.of("Sign this!", getRandomBytes(42));
 	private final String label = StringUtils.getRandomString(5);
-	private final Author author = getAuthor();
 
-	private final ClientHelper clientHelper = new ClientHelperImpl(db,
-			messageFactory, bdfReaderFactory, bdfWriterFactory, metadataParser,
-			metadataEncoder, cryptoComponent, authorFactory);
+	public ClientHelperImplTest() {
+		clientHelper =
+				new ClientHelperImpl(db, messageFactory, bdfReaderFactory,
+						bdfWriterFactory, metadataParser, metadataEncoder,
+						cryptoComponent);
+	}
 
 	@Test
 	public void testAddLocalMessage() throws Exception {
-		boolean shared = new Random().nextBoolean();
+		boolean shared = true;
 		Transaction txn = new Transaction(null, false);
 
 		context.checking(new Expectations() {{
@@ -187,7 +180,8 @@ public class ClientHelperImplTest extends BrambleTestCase {
 			oneOf(db).endTransaction(txn);
 		}});
 
-		assertEquals(map, clientHelper.getMessageMetadataAsDictionary(groupId));
+		assertEquals(map,
+				clientHelper.getMessageMetadataAsDictionary(groupId));
 		context.assertIsSatisfied();
 	}
 
@@ -301,34 +295,31 @@ public class ClientHelperImplTest extends BrambleTestCase {
 
 	@Test
 	public void testVerifySignature() throws Exception {
-		byte[] signature = getRandomBytes(MAX_SIGNATURE_LENGTH);
 		byte[] publicKey = getRandomBytes(42);
-		byte[] signed = expectToByteArray(list);
+		byte[] bytes = expectToByteArray(list);
 
 		context.checking(new Expectations() {{
-			oneOf(cryptoComponent).verifySignature(signature, label, signed,
-					publicKey);
+			oneOf(cryptoComponent).verify(label, bytes, publicKey, rawMessage);
 			will(returnValue(true));
 		}});
 
-		clientHelper.verifySignature(signature, label, list, publicKey);
+		clientHelper.verifySignature(label, rawMessage, publicKey, list);
 		context.assertIsSatisfied();
 	}
 
 	@Test
 	public void testVerifyWrongSignature() throws Exception {
-		byte[] signature = getRandomBytes(MAX_SIGNATURE_LENGTH);
 		byte[] publicKey = getRandomBytes(42);
-		byte[] signed = expectToByteArray(list);
+		byte[] bytes = expectToByteArray(list);
 
 		context.checking(new Expectations() {{
-			oneOf(cryptoComponent).verifySignature(signature, label, signed,
-					publicKey);
+			oneOf(cryptoComponent).verify(label, bytes, publicKey, rawMessage);
 			will(returnValue(false));
 		}});
 
 		try {
-			clientHelper.verifySignature(signature, label, list, publicKey);
+			clientHelper
+					.verifySignature(label, rawMessage, publicKey, list);
 			fail();
 		} catch (GeneralSecurityException e) {
 			// expected
@@ -336,166 +327,6 @@ public class ClientHelperImplTest extends BrambleTestCase {
 		}
 	}
 
-	@Test
-	public void testParsesAndEncodesAuthor() throws Exception {
-		context.checking(new Expectations() {{
-			oneOf(authorFactory).createAuthor(author.getFormatVersion(),
-					author.getName(), author.getPublicKey());
-			will(returnValue(author));
-		}});
-
-		BdfList authorList = clientHelper.toList(author);
-		assertEquals(author, clientHelper.parseAndValidateAuthor(authorList));
-	}
-
-	@Test
-	public void testAcceptsValidAuthor() throws Exception {
-		BdfList authorList = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				author.getPublicKey()
-		);
-
-		context.checking(new Expectations() {{
-			oneOf(authorFactory).createAuthor(author.getFormatVersion(),
-					author.getName(), author.getPublicKey());
-			will(returnValue(author));
-		}});
-
-		assertEquals(author, clientHelper.parseAndValidateAuthor(authorList));
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsTooShortAuthor() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsTooLongAuthor() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				author.getPublicKey(),
-				"foo"
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNullFormatVersion() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				null,
-				author.getName(),
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNonIntegerFormatVersion()
-			throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				"foo",
-				author.getName(),
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithUnknownFormatVersion() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion() + 1,
-				author.getName(),
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithTooShortName() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				"",
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithTooLongName() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				getRandomString(MAX_AUTHOR_NAME_LENGTH + 1),
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNullName() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				null,
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNonStringName() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				getRandomBytes(5),
-				author.getPublicKey()
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithTooShortPublicKey() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				new byte[0]
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithTooLongPublicKey() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				getRandomBytes(MAX_PUBLIC_KEY_LENGTH + 1)
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNullPublicKey() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				null
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
-	@Test(expected = FormatException.class)
-	public void testRejectsAuthorWithNonRawPublicKey() throws Exception {
-		BdfList invalidAuthor = BdfList.of(
-				author.getFormatVersion(),
-				author.getName(),
-				"foo"
-		);
-		clientHelper.parseAndValidateAuthor(invalidAuthor);
-	}
-
 	private byte[] expectToByteArray(BdfList list) throws Exception {
 		BdfWriter bdfWriter = context.mock(BdfWriter.class);
 
@@ -521,4 +352,5 @@ public class ClientHelperImplTest extends BrambleTestCase {
 			will(returnValue(eof));
 		}});
 	}
+
 }

bramble-core/src/test/java/org/briarproject/bramble/contact/ContactManagerImplTest.java

@@ -18,9 +18,8 @@ import org.junit.Test;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.Random;
 
-import static org.briarproject.bramble.test.TestUtils.getAuthor;
+import static org.briarproject.bramble.test.TestUtils.getRandomBytes;
 import static org.briarproject.bramble.test.TestUtils.getRandomId;
 import static org.briarproject.bramble.test.TestUtils.getSecretKey;
 import static org.junit.Assert.assertEquals;
@@ -33,7 +32,9 @@ public class ContactManagerImplTest extends BrambleMockTestCase {
 	private final KeyManager keyManager = context.mock(KeyManager.class);
 	private final ContactManager contactManager;
 	private final ContactId contactId = new ContactId(42);
-	private final Author remote = getAuthor();
+	private final Author remote =
+			new Author(new AuthorId(getRandomId()), "remote",
+					getRandomBytes(42));
 	private final AuthorId local = new AuthorId(getRandomId());
 	private final boolean verified = false, active = true;
 	private final Contact contact =
@@ -46,8 +47,8 @@ public class ContactManagerImplTest extends BrambleMockTestCase {
 	@Test
 	public void testAddContact() throws Exception {
 		SecretKey master = getSecretKey();
-		long timestamp = System.currentTimeMillis();
-		boolean alice = new Random().nextBoolean();
+		long timestamp = 42;
+		boolean alice = true;
 		Transaction txn = new Transaction(null, false);
 
 		context.checking(new Expectations() {{

bramble-core/src/test/java/org/briarproject/bramble/crypto/Blake2sDigestTest.java

@@ -3,76 +3,75 @@ package org.briarproject.bramble.crypto;
 import org.briarproject.bramble.test.BrambleTestCase;
 import org.briarproject.bramble.util.StringUtils;
 import org.junit.Test;
-import org.spongycastle.crypto.digests.Blake2bDigest;
 
 import java.util.Random;
 
 import static org.junit.Assert.assertArrayEquals;
 
-public class Blake2bDigestTest extends BrambleTestCase {
+public class Blake2sDigestTest extends BrambleTestCase {
 
-	// Vectors from BLAKE2 web site: https://blake2.net/Blake2b-test.txt
-	private static final String[][] KEYED_TEST_VECTORS = {
+	// Vectors from BLAKE2 web site: https://blake2.net/blake2s-test.txt
+	private static final String[][] keyedTestVectors = {
 			// input/message, key, hash
 			{
 					"",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"10ebb67700b1868efb4417987acf4690ae9d972fb7a590c2f02871799aaa4786b5e996e8f0f4eb981fc214b005f42d2ff4233499391653df7aefcbc13fc51568",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"48a8997da407876b3d79c0d92325ad3b89cbb754d86ab71aee047ad345fd2c49",
 			},
 			{
 					"00",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"961f6dd1e4dd30f63901690c512e78e4b45e4742ed197c3c5e45c549fd25f2e4187b0bc9fe30492b16b0d0bc4ef9b0f34c7003fac09a5ef1532e69430234cebd",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"40d15fee7c328830166ac3f918650f807e7e01e177258cdc0a39b11f598066f1",
 			},
 			{
 					"0001",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"da2cfbe2d8409a0f38026113884f84b50156371ae304c4430173d08a99d9fb1b983164a3770706d537f49e0c916d9f32b95cc37a95b99d857436f0232c88a965",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"6bb71300644cd3991b26ccd4d274acd1adeab8b1d7914546c1198bbe9fc9d803",
 			},
 			{
 					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"f1aa2b044f8f0c638a3f362e677b5d891d6fd2ab0765f6ee1e4987de057ead357883d9b405b9d609eea1b869d97fb16d9b51017c553f3b93c0a1e0f1296fedcd",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"172ffc67153d12e0ca76a8b6cd5d4731885b39ce0cac93a8972a18006c8b8baf",
 			},
 			{
 					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"c230f0802679cb33822ef8b3b21bf7a9a28942092901d7dac3760300831026cf354c9232df3e084d9903130c601f63c1f4a4a4b8106e468cd443bbe5a734f45f",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"4f8ce1e51d2fe7f24043a904d898ebfc91975418753413aa099b795ecb35cedb",
 			},
 			{
 					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe",
-					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-					"142709d62e28fcccd0af97fad0f8465b971e82201dc51070faa0372aa43e92484be1c1e73ba10906d5d1853db6a4106e0a7bf9800d373d6dee2d46d62ef2a461",
+					"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+					"3fb735061abc519dfe979e54c1ee5bfad0a9d858b3315bad34bde999efd724dd",
 			},
 	};
 
 	@Test
 	public void testDigestWithKeyedTestVectors() {
-		for (String[] keyedTestVector : KEYED_TEST_VECTORS) {
+		Blake2sDigest digest = new Blake2sDigest(StringUtils.fromHexString(
+				keyedTestVectors[0][1]));
+		for (String[] keyedTestVector : keyedTestVectors) {
 			byte[] input = StringUtils.fromHexString(keyedTestVector[0]);
-			byte[] key = StringUtils.fromHexString(keyedTestVector[1]);
-			byte[] expected = StringUtils.fromHexString(keyedTestVector[2]);
+			digest.reset();
 
-			Blake2bDigest digest = new Blake2bDigest(key);
 			digest.update(input, 0, input.length);
-			byte[] hash = new byte[64];
+			byte[] hash = new byte[32];
 			digest.doFinal(hash, 0);
 
-			assertArrayEquals(expected, hash);
+			assertArrayEquals(StringUtils.fromHexString(keyedTestVector[2]),
+					hash);
 		}
 	}
 
 	@Test
 	public void testDigestWithKeyedTestVectorsAndRandomUpdate() {
+		Blake2sDigest digest = new Blake2sDigest(StringUtils.fromHexString(
+				keyedTestVectors[0][1]));
 		Random random = new Random();
 		for (int i = 0; i < 100; i++) {
-			for (String[] keyedTestVector : KEYED_TEST_VECTORS) {
+			for (String[] keyedTestVector : keyedTestVectors) {
 				byte[] input = StringUtils.fromHexString(keyedTestVector[0]);
-				if (input.length == 0) continue;
-				byte[] key = StringUtils.fromHexString(keyedTestVector[1]);
-				byte[] expected = StringUtils.fromHexString(keyedTestVector[2]);
-
-				Blake2bDigest digest = new Blake2bDigest(key);
+				if (input.length < 3) continue;
+				digest.reset();
 
 				int pos = random.nextInt(input.length);
 				if (pos > 0)
@@ -81,10 +80,11 @@ public class Blake2bDigestTest extends BrambleTestCase {
 				if (pos < (input.length - 1))
 					digest.update(input, pos + 1, input.length - (pos + 1));
 
-				byte[] hash = new byte[64];
+				byte[] hash = new byte[32];
 				digest.doFinal(hash, 0);
 
-				assertArrayEquals(expected, hash);
+				assertArrayEquals(StringUtils.fromHexString(keyedTestVector[2]),
+						hash);
 			}
 		}
 	}
@@ -98,12 +98,12 @@ public class Blake2bDigestTest extends BrambleTestCase {
 		byte[] input = new byte[key.length + 1];
 		for (byte i = 0; i < input.length; i++) input[i] = i;
 		// Hash the input
-		Blake2bDigest digest = new Blake2bDigest(key);
+		Blake2sDigest digest = new Blake2sDigest(key);
 		digest.update(input, 0, input.length);
 		byte[] hash = new byte[digest.getDigestSize()];
 		digest.doFinal(hash, 0);
 		// Create a second instance, hash the input without calling doFinal()
-		Blake2bDigest digest1 = new Blake2bDigest(key);
+		Blake2sDigest digest1 = new Blake2sDigest(key);
 		digest1.update(input, 0, input.length);
 		// Reset the second instance and hash the input again
 		digest1.reset();
@@ -116,10 +116,9 @@ public class Blake2bDigestTest extends BrambleTestCase {
 
 	// Self-test routine from https://tools.ietf.org/html/rfc7693#appendix-E
 	private static final String SELF_TEST_RESULT =
-			"C23A7800D98123BD10F506C61E29DA5603D763B8BBAD2E737F5E765A7BCCD475";
-	private static final int[] SELF_TEST_DIGEST_LEN = {20, 32, 48, 64};
-	private static final int[] SELF_TEST_INPUT_LEN =
-			{0, 3, 128, 129, 255, 1024};
+			"6A411F08CE25ADCDFB02ABA641451CEC53C598B24F4FC787FBDC88797F4C1DFE";
+	private static final int[] SELF_TEST_DIGEST_LEN = {16, 20, 28, 32};
+	private static final int[] SELF_TEST_INPUT_LEN = {0, 3, 64, 65, 255, 1024};
 
 	private static byte[] selfTestSequence(int len, int seed) {
 		int a = 0xDEAD4BAD * seed;
@@ -139,8 +138,8 @@ public class Blake2bDigestTest extends BrambleTestCase {
 
 	@Test
 	public void runSelfTest() {
-		Blake2bDigest testDigest = new Blake2bDigest(256);
-		byte[] md = new byte[64];
+		Blake2sDigest testDigest = new Blake2sDigest();
+		byte[] md = new byte[32];
 
 		for (int i = 0; i < 4; i++) {
 			int outlen = SELF_TEST_DIGEST_LEN[i];
@@ -149,7 +148,7 @@ public class Blake2bDigestTest extends BrambleTestCase {
 
 				// unkeyed hash
 				byte[] in = selfTestSequence(inlen, inlen);
-				Blake2bDigest unkeyedDigest = new Blake2bDigest(outlen * 8);
+				Blake2sDigest unkeyedDigest = new Blake2sDigest(outlen * 8);
 				unkeyedDigest.update(in, 0, inlen);
 				unkeyedDigest.doFinal(md, 0);
 				// hash the hash
@@ -157,7 +156,7 @@ public class Blake2bDigestTest extends BrambleTestCase {
 
 				// keyed hash
 				byte[] key = selfTestSequence(outlen, outlen);
-				Blake2bDigest keyedDigest = new Blake2bDigest(key, outlen, null,
+				Blake2sDigest keyedDigest = new Blake2sDigest(key, outlen, null,
 						null);
 				keyedDigest.update(in, 0, inlen);
 				keyedDigest.doFinal(md, 0);

bramble-core/src/test/java/org/briarproject/bramble/crypto/EdSignatureTest.java

@@ -1,169 +0,0 @@
-package org.briarproject.bramble.crypto;
-
-import org.briarproject.bramble.api.crypto.KeyPair;
-import org.junit.Test;
-
-import java.security.GeneralSecurityException;
-
-import static org.briarproject.bramble.util.StringUtils.fromHexString;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertTrue;
-
-public class EdSignatureTest extends SignatureTest {
-
-	// Test vectors from RFC 8032: secret key, public key, message, signature
-	// https://tools.ietf.org/html/rfc8032#section-7.1
-	private static final String[][] TEST_VECTORS = {{
-			"9d61b19deffd5a60ba844af492ec2cc4" +
-					"4449c5697b326919703bac031cae7f60",
-			"d75a980182b10ab7d54bfed3c964073a" +
-					"0ee172f3daa62325af021a68f707511a",
-			"",
-			"e5564300c360ac729086e2cc806e828a" +
-					"84877f1eb8e5d974d873e06522490155" +
-					"5fb8821590a33bacc61e39701cf9b46b" +
-					"d25bf5f0595bbe24655141438e7a100b"
-	}, {
-			"4ccd089b28ff96da9db6c346ec114e0f" +
-					"5b8a319f35aba624da8cf6ed4fb8a6fb",
-			"3d4017c3e843895a92b70aa74d1b7ebc" +
-					"9c982ccf2ec4968cc0cd55f12af4660c",
-			"72",
-			"92a009a9f0d4cab8720e820b5f642540" +
-					"a2b27b5416503f8fb3762223ebdb69da" +
-					"085ac1e43e15996e458f3613d0f11d8c" +
-					"387b2eaeb4302aeeb00d291612bb0c00"
-	}, {
-			"c5aa8df43f9f837bedb7442f31dcb7b1" +
-					"66d38535076f094b85ce3a2e0b4458f7",
-			"fc51cd8e6218a1a38da47ed00230f058" +
-					"0816ed13ba3303ac5deb911548908025",
-			"af82",
-			"6291d657deec24024827e69c3abe01a3" +
-					"0ce548a284743a445e3680d7db5ac3ac" +
-					"18ff9b538d16f290ae67f760984dc659" +
-					"4a7c15e9716ed28dc027beceea1ec40a"
-	}, {
-			"f5e5767cf153319517630f226876b86c" +
-					"8160cc583bc013744c6bf255f5cc0ee5",
-			"278117fc144c72340f67d0f2316e8386" +
-					"ceffbf2b2428c9c51fef7c597f1d426e",
-			"08b8b2b733424243760fe426a4b54908" +
-					"632110a66c2f6591eabd3345e3e4eb98" +
-					"fa6e264bf09efe12ee50f8f54e9f77b1" +
-					"e355f6c50544e23fb1433ddf73be84d8" +
-					"79de7c0046dc4996d9e773f4bc9efe57" +
-					"38829adb26c81b37c93a1b270b20329d" +
-					"658675fc6ea534e0810a4432826bf58c" +
-					"941efb65d57a338bbd2e26640f89ffbc" +
-					"1a858efcb8550ee3a5e1998bd177e93a" +
-					"7363c344fe6b199ee5d02e82d522c4fe" +
-					"ba15452f80288a821a579116ec6dad2b" +
-					"3b310da903401aa62100ab5d1a36553e" +
-					"06203b33890cc9b832f79ef80560ccb9" +
-					"a39ce767967ed628c6ad573cb116dbef" +
-					"efd75499da96bd68a8a97b928a8bbc10" +
-					"3b6621fcde2beca1231d206be6cd9ec7" +
-					"aff6f6c94fcd7204ed3455c68c83f4a4" +
-					"1da4af2b74ef5c53f1d8ac70bdcb7ed1" +
-					"85ce81bd84359d44254d95629e9855a9" +
-					"4a7c1958d1f8ada5d0532ed8a5aa3fb2" +
-					"d17ba70eb6248e594e1a2297acbbb39d" +
-					"502f1a8c6eb6f1ce22b3de1a1f40cc24" +
-					"554119a831a9aad6079cad88425de6bd" +
-					"e1a9187ebb6092cf67bf2b13fd65f270" +
-					"88d78b7e883c8759d2c4f5c65adb7553" +
-					"878ad575f9fad878e80a0c9ba63bcbcc" +
-					"2732e69485bbc9c90bfbd62481d9089b" +
-					"eccf80cfe2df16a2cf65bd92dd597b07" +
-					"07e0917af48bbb75fed413d238f5555a" +
-					"7a569d80c3414a8d0859dc65a46128ba" +
-					"b27af87a71314f318c782b23ebfe808b" +
-					"82b0ce26401d2e22f04d83d1255dc51a" +
-					"ddd3b75a2b1ae0784504df543af8969b" +
-					"e3ea7082ff7fc9888c144da2af58429e" +
-					"c96031dbcad3dad9af0dcbaaaf268cb8" +
-					"fcffead94f3c7ca495e056a9b47acdb7" +
-					"51fb73e666c6c655ade8297297d07ad1" +
-					"ba5e43f1bca32301651339e22904cc8c" +
-					"42f58c30c04aafdb038dda0847dd988d" +
-					"cda6f3bfd15c4b4c4525004aa06eeff8" +
-					"ca61783aacec57fb3d1f92b0fe2fd1a8" +
-					"5f6724517b65e614ad6808d6f6ee34df" +
-					"f7310fdc82aebfd904b01e1dc54b2927" +
-					"094b2db68d6f903b68401adebf5a7e08" +
-					"d78ff4ef5d63653a65040cf9bfd4aca7" +
-					"984a74d37145986780fc0b16ac451649" +
-					"de6188a7dbdf191f64b5fc5e2ab47b57" +
-					"f7f7276cd419c17a3ca8e1b939ae49e4" +
-					"88acba6b965610b5480109c8b17b80e1" +
-					"b7b750dfc7598d5d5011fd2dcc5600a3" +
-					"2ef5b52a1ecc820e308aa342721aac09" +
-					"43bf6686b64b2579376504ccc493d97e" +
-					"6aed3fb0f9cd71a43dd497f01f17c0e2" +
-					"cb3797aa2a2f256656168e6c496afc5f" +
-					"b93246f6b1116398a346f1a641f3b041" +
-					"e989f7914f90cc2c7fff357876e506b5" +
-					"0d334ba77c225bc307ba537152f3f161" +
-					"0e4eafe595f6d9d90d11faa933a15ef1" +
-					"369546868a7f3a45a96768d40fd9d034" +
-					"12c091c6315cf4fde7cb68606937380d" +
-					"b2eaaa707b4c4185c32eddcdd306705e" +
-					"4dc1ffc872eeee475a64dfac86aba41c" +
-					"0618983f8741c5ef68d3a101e8a3b8ca" +
-					"c60c905c15fc910840b94c00a0b9d0",
-			"0aab4c900501b3e24d7cdf4663326a3a" +
-					"87df5e4843b2cbdb67cbf6e460fec350" +
-					"aa5371b1508f9f4528ecea23c436d94b" +
-					"5e8fcd4f681e30a6ac00a9704a188a03"
-	}, {
-			"833fe62409237b9d62ec77587520911e" +
-					"9a759cec1d19755b7da901b96dca3d42",
-			"ec172b93ad5e563bf4932c70e1245034" +
-					"c35467ef2efd4d64ebf819683467e2bf",
-			"ddaf35a193617abacc417349ae204131" +
-					"12e6fa4e89a97ea20a9eeee64b55d39a" +
-					"2192992a274fc1a836ba3c23a3feebbd" +
-					"454d4423643ce80e2a9ac94fa54ca49f",
-			"dc2a4459e7369633a52b1bf277839a00" +
-					"201009a3efbf3ecb69bea2186c26b589" +
-					"09351fc9ac90b3ecfdfbc7c66431e030" +
-					"3dca179c138ac17ad9bef1177331a704"
-	}};
-
-	@Override
-	protected KeyPair generateKeyPair() {
-		return crypto.generateSignatureKeyPair();
-	}
-
-	@Override
-	protected byte[] sign(String label, byte[] toSign, byte[] privateKey)
-			throws GeneralSecurityException {
-		return crypto.sign(label, toSign, privateKey);
-	}
-
-	@Override
-	protected boolean verify(byte[] signature, String label, byte[] signed,
-			byte[] publicKey) throws GeneralSecurityException {
-		return crypto.verifySignature(signature, label, signed, publicKey);
-	}
-
-	@Test
-	public void testRfc8032TestVectors() throws Exception {
-		for (String[] vector : TEST_VECTORS) {
-			byte[] privateKeyBytes = fromHexString(vector[0]);
-			byte[] publicKeyBytes = fromHexString(vector[1]);
-			byte[] messageBytes = fromHexString(vector[2]);
-			byte[] signatureBytes = fromHexString(vector[3]);
-
-			EdSignature signature = new EdSignature();
-			signature.initSign(new EdPrivateKey(privateKeyBytes));
-			signature.update(messageBytes);
-			assertArrayEquals(signatureBytes, signature.sign());
-
-			signature.initVerify(new EdPublicKey(publicKeyBytes));
-			signature.update(messageBytes);
-			assertTrue(signature.verify(signatureBytes));
-		}
-	}
-}

bramble-core/src/test/java/org/briarproject/bramble/crypto/EllipticCurveMultiplicationTest.java

@@ -13,11 +13,11 @@ import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.math.ec.ECCurve;
 import org.spongycastle.math.ec.ECPoint;
-import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
 
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
+import static org.briarproject.bramble.crypto.EllipticCurveConstants.PARAMETERS;
 import static org.junit.Assert.assertEquals;
 
 public class EllipticCurveMultiplicationTest extends BrambleTestCase {
@@ -31,11 +31,15 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		ECPoint defaultG = defaultX9Parameters.getG();
 		BigInteger defaultN = defaultX9Parameters.getN();
 		BigInteger defaultH = defaultX9Parameters.getH();
+		// Check that the default parameters are equal to our parameters
+		assertEquals(PARAMETERS.getCurve(), defaultCurve);
+		assertEquals(PARAMETERS.getG(), defaultG);
+		assertEquals(PARAMETERS.getN(), defaultN);
+		assertEquals(PARAMETERS.getH(), defaultH);
+		// ECDomainParameters doesn't have an equals() method, but it's just a
+		// container for the parameters
 		ECDomainParameters defaultParameters = new ECDomainParameters(
 				defaultCurve, defaultG, defaultN, defaultH);
-		// Instantiate an implementation using the Montgomery ladder multiplier
-		ECDomainParameters montgomeryParameters =
-				constantTime(defaultParameters);
 		// Generate two key pairs with each set of parameters, using the same
 		// deterministic PRNG for both sets of parameters
 		byte[] seed = new byte[32];
@@ -43,7 +47,7 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		// Montgomery ladder multiplier
 		SecureRandom random = new PseudoSecureRandom(seed);
 		ECKeyGenerationParameters montgomeryGeneratorParams =
-				new ECKeyGenerationParameters(montgomeryParameters, random);
+				new ECKeyGenerationParameters(PARAMETERS, random);
 		ECKeyPairGenerator montgomeryGenerator = new ECKeyPairGenerator();
 		montgomeryGenerator.init(montgomeryGeneratorParams);
 		AsymmetricCipherKeyPair montgomeryKeyPair1 =
@@ -103,13 +107,4 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		assertEquals(sharedSecretMontgomeryMontgomery,
 				sharedSecretDefaultDefault);
 	}
-
-	private static ECDomainParameters constantTime(ECDomainParameters in) {
-		ECCurve curve = in.getCurve().configure().setMultiplier(
-				new MontgomeryLadderMultiplier()).create();
-		BigInteger x = in.getG().getAffineXCoord().toBigInteger();
-		BigInteger y = in.getG().getAffineYCoord().toBigInteger();
-		ECPoint g = curve.createPoint(x, y);
-		return new ECDomainParameters(curve, g, in.getN(), in.getH());
-	}
 }

bramble-core/src/test/java/org/briarproject/bramble/crypto/EllipticCurvePerformanceTest.java

@@ -1,20 +1,16 @@
 package org.briarproject.bramble.crypto;
 
-import net.i2p.crypto.eddsa.EdDSASecurityProvider;
-import net.i2p.crypto.eddsa.KeyPairGenerator;
-
 import org.spongycastle.asn1.sec.SECNamedCurves;
 import org.spongycastle.asn1.teletrust.TeleTrusTNamedCurves;
 import org.spongycastle.asn1.x9.X9ECParameters;
 import org.spongycastle.crypto.AsymmetricCipherKeyPair;
-import org.spongycastle.crypto.BasicAgreement;
 import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.agreement.ECDHBasicAgreement;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
-import org.spongycastle.crypto.digests.Blake2bDigest;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
 import org.spongycastle.crypto.params.ECDomainParameters;
 import org.spongycastle.crypto.params.ECKeyGenerationParameters;
+import org.spongycastle.crypto.params.ECPrivateKeyParameters;
+import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.ParametersWithRandom;
 import org.spongycastle.crypto.signers.DSADigestSigner;
 import org.spongycastle.crypto.signers.DSAKCalculator;
@@ -23,22 +19,14 @@ import org.spongycastle.crypto.signers.HMacDSAKCalculator;
 import org.spongycastle.math.ec.ECCurve;
 import org.spongycastle.math.ec.ECPoint;
 import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
-import org.whispersystems.curve25519.Curve25519;
-import org.whispersystems.curve25519.Curve25519KeyPair;
 
 import java.math.BigInteger;
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.Provider;
 import java.security.SecureRandom;
-import java.security.Signature;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
-import static net.i2p.crypto.eddsa.EdDSAEngine.SIGNATURE_ALGORITHM;
-
 // Not a JUnit test
 public class EllipticCurvePerformanceTest {
 
@@ -49,9 +37,8 @@ public class EllipticCurvePerformanceTest {
 			"secp256k1", "secp256r1", "secp384r1", "secp521r1");
 	private static final List<String> BRAINPOOL_NAMES = Arrays.asList(
 			"brainpoolp256r1", "brainpoolp384r1", "brainpoolp512r1");
-	private static final Provider ED_PROVIDER = new EdDSASecurityProvider();
 
-	public static void main(String[] args) throws GeneralSecurityException {
+	public static void main(String[] args) {
 		for (String name : SEC_NAMES) {
 			ECDomainParameters params =
 					convertParams(SECNamedCurves.getByName(name));
@@ -64,31 +51,43 @@ public class EllipticCurvePerformanceTest {
 			runTest(name + " default", params);
 			runTest(name + " constant", constantTime(params));
 		}
-		runCurve25519Test();
-		runEd25519Test();
+		runTest("ours", EllipticCurveConstants.PARAMETERS);
 	}
 
 	private static void runTest(String name, ECDomainParameters params) {
 		// Generate two key pairs using the given parameters
+		ECKeyGenerationParameters generatorParams =
+				new ECKeyGenerationParameters(params, random);
 		ECKeyPairGenerator generator = new ECKeyPairGenerator();
-		generator.init(new ECKeyGenerationParameters(params, random));
+		generator.init(generatorParams);
 		AsymmetricCipherKeyPair keyPair1 = generator.generateKeyPair();
+		ECPublicKeyParameters public1 =
+				(ECPublicKeyParameters) keyPair1.getPublic();
+		ECPrivateKeyParameters private1 =
+				(ECPrivateKeyParameters) keyPair1.getPrivate();
 		AsymmetricCipherKeyPair keyPair2 = generator.generateKeyPair();
-		// Time some ECDH and ECDHC key agreements
-		long agreementMedian = runAgreementTest(keyPair1, keyPair2, false);
-		long agreementWithCofactorMedian =
-				runAgreementTest(keyPair1, keyPair2, true);
-		// Time some signatures
+		ECPublicKeyParameters public2 =
+				(ECPublicKeyParameters) keyPair2.getPublic();
+		// Time some ECDH key agreements
 		List<Long> samples = new ArrayList<>();
-		List<byte[]> signatures = new ArrayList<>();
 		for (int i = 0; i < SAMPLES; i++) {
-			Digest digest = new Blake2bDigest(256);
+			ECDHCBasicAgreement agreement = new ECDHCBasicAgreement();
+			long start = System.nanoTime();
+			agreement.init(private1);
+			agreement.calculateAgreement(public2);
+			samples.add(System.nanoTime() - start);
+		}
+		long agreementMedian = median(samples);
+		// Time some signatures
+		List<byte[]> signatures = new ArrayList<>();
+		samples.clear();
+		for (int i = 0; i < SAMPLES; i++) {
+			Digest digest = new Blake2sDigest();
 			DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);
 			long start = System.nanoTime();
-			signer.init(true,
-					new ParametersWithRandom(keyPair1.getPrivate(), random));
+			signer.init(true, new ParametersWithRandom(private1, random));
 			signer.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
 			signatures.add(signer.generateSignature());
 			samples.add(System.nanoTime() - start);
@@ -97,88 +96,22 @@ public class EllipticCurvePerformanceTest {
 		// Time some signature verifications
 		samples.clear();
 		for (int i = 0; i < SAMPLES; i++) {
-			Digest digest = new Blake2bDigest(256);
+			Digest digest = new Blake2sDigest();
 			DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);
 			long start = System.nanoTime();
-			signer.init(false, keyPair1.getPublic());
+			signer.init(false, public1);
 			signer.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
 			if (!signer.verifySignature(signatures.get(i)))
 				throw new AssertionError();
 			samples.add(System.nanoTime() - start);
 		}
 		long verificationMedian = median(samples);
-		System.out.println(String.format("%s: %,d %,d %,d %,d", name,
-				agreementMedian, agreementWithCofactorMedian,
-				signatureMedian, verificationMedian));
-	}
-
-	private static long runAgreementTest(AsymmetricCipherKeyPair keyPair1,
-			AsymmetricCipherKeyPair keyPair2, boolean withCofactor) {
-		List<Long> samples = new ArrayList<>();
-		for (int i = 0; i < SAMPLES; i++) {
-			BasicAgreement agreement = createAgreement(withCofactor);
-			long start = System.nanoTime();
-			agreement.init(keyPair1.getPrivate());
-			agreement.calculateAgreement(keyPair2.getPublic());
-			samples.add(System.nanoTime() - start);
-		}
-		return median(samples);
-	}
-
-	private static BasicAgreement createAgreement(boolean withCofactor) {
-		if (withCofactor) return new ECDHCBasicAgreement();
-		else return new ECDHBasicAgreement();
-	}
-
-	private static void runCurve25519Test() {
-		Curve25519 curve25519 = Curve25519.getInstance("java");
-		Curve25519KeyPair keyPair1 = curve25519.generateKeyPair();
-		Curve25519KeyPair keyPair2 = curve25519.generateKeyPair();
-		// Time some key agreements
-		List<Long> samples = new ArrayList<>();
-		for (int i = 0; i < SAMPLES; i++) {
-			long start = System.nanoTime();
-			curve25519.calculateAgreement(keyPair1.getPublicKey(),
-					keyPair2.getPrivateKey());
-			samples.add(System.nanoTime() - start);
-		}
-		long agreementMedian = median(samples);
-		System.out.println(String.format("Curve25519: %,d - - -",
-				agreementMedian));
-	}
-
-	private static void runEd25519Test() throws GeneralSecurityException {
-		KeyPair keyPair = new KeyPairGenerator().generateKeyPair();
-		// Time some signatures
-		List<Long> samples = new ArrayList<>();
-		List<byte[]> signatures = new ArrayList<>();
-		for (int i = 0; i < SAMPLES; i++) {
-			Signature signature =
-					Signature.getInstance(SIGNATURE_ALGORITHM, ED_PROVIDER);
-			long start = System.nanoTime();
-			signature.initSign(keyPair.getPrivate(), random);
-			signature.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
-			signatures.add(signature.sign());
-			samples.add(System.nanoTime() - start);
-		}
-		long signatureMedian = median(samples);
-		// Time some signature verifications
-		samples.clear();
-		for (int i = 0; i < SAMPLES; i++) {
-			Signature signature =
-					Signature.getInstance(SIGNATURE_ALGORITHM, ED_PROVIDER);
-			long start = System.nanoTime();
-			signature.initVerify(keyPair.getPublic());
-			signature.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
-			if (!signature.verify(signatures.get(i)))
-				throw new AssertionError();
-			samples.add(System.nanoTime() - start);
-		}
-		long verificationMedian = median(samples);
-		System.out.println(String.format("Ed25519: - - %,d %,d",
-				signatureMedian, verificationMedian));
+		System.out.println(name + ": "
+				+ agreementMedian + " "
+				+ signatureMedian + " "
+				+ verificationMedian);
 	}
 
 	private static long median(List<Long> list) {

bramble-core/src/test/java/org/briarproject/bramble/crypto/HashTest.java

@@ -22,7 +22,7 @@ public class HashTest extends BrambleTestCase {
 	private final byte[] inputBytes2 = new byte[0];
 
 	public HashTest() {
-		crypto = new CryptoComponentImpl(new TestSecureRandomProvider(), null);
+		crypto = new CryptoComponentImpl(new TestSecureRandomProvider());
 	}
 
 	@Test

bramble-core/src/test/java/org/briarproject/bramble/crypto/KeyAgreementTest.java

@@ -2,80 +2,41 @@ package org.briarproject.bramble.crypto;
 
 import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.KeyPair;
-import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.api.crypto.SecretKey;
+import org.briarproject.bramble.api.system.SecureRandomProvider;
 import org.briarproject.bramble.test.BrambleTestCase;
 import org.briarproject.bramble.test.TestSecureRandomProvider;
 import org.junit.Test;
-import org.whispersystems.curve25519.Curve25519;
 
-import java.security.GeneralSecurityException;
-import java.util.Random;
-
-import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.SHARED_SECRET_LABEL;
-import static org.briarproject.bramble.test.TestUtils.getRandomBytes;
-import static org.briarproject.bramble.util.StringUtils.fromHexString;
 import static org.junit.Assert.assertArrayEquals;
 
 public class KeyAgreementTest extends BrambleTestCase {
 
-	// Test vector from RFC 7748: Alice's private and public keys, Bob's
-	// private and public keys, and the shared secret
-	// https://tools.ietf.org/html/rfc7748#section-6.1
-	private static final String ALICE_PRIVATE =
-			"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
-	private static final String ALICE_PUBLIC =
-			"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
-	private static final String BOB_PRIVATE =
-			"5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
-	private static final String BOB_PUBLIC =
-			"de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
-	private static final String SHARED_SECRET =
-			"4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
-
-	private final CryptoComponent crypto =
-			new CryptoComponentImpl(new TestSecureRandomProvider(), null);
-	private final byte[][] inputs;
-
-	public KeyAgreementTest() {
-		Random random = new Random();
-		inputs = new byte[random.nextInt(10) + 1][];
-		for (int i = 0; i < inputs.length; i++)
-			inputs[i] = getRandomBytes(random.nextInt(256));
+	@Test
+	public void testDeriveMasterSecret() throws Exception {
+		SecureRandomProvider
+				secureRandomProvider = new TestSecureRandomProvider();
+		CryptoComponent crypto = new CryptoComponentImpl(secureRandomProvider);
+		KeyPair aPair = crypto.generateAgreementKeyPair();
+		byte[] aPub = aPair.getPublic().getEncoded();
+		KeyPair bPair = crypto.generateAgreementKeyPair();
+		byte[] bPub = bPair.getPublic().getEncoded();
+		SecretKey aMaster = crypto.deriveMasterSecret(aPub, bPair, true);
+		SecretKey bMaster = crypto.deriveMasterSecret(bPub, aPair, false);
+		assertArrayEquals(aMaster.getBytes(), bMaster.getBytes());
 	}
 
 	@Test
-	public void testDerivesSharedSecret() throws Exception {
+	public void testDeriveSharedSecret() throws Exception {
+		SecureRandomProvider
+				secureRandomProvider = new TestSecureRandomProvider();
+		CryptoComponent crypto = new CryptoComponentImpl(secureRandomProvider);
 		KeyPair aPair = crypto.generateAgreementKeyPair();
+		byte[] aPub = aPair.getPublic().getEncoded();
 		KeyPair bPair = crypto.generateAgreementKeyPair();
-		SecretKey aShared = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
-				bPair.getPublic(), aPair, inputs);
-		SecretKey bShared = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
-				aPair.getPublic(), bPair, inputs);
+		byte[] bPub = bPair.getPublic().getEncoded();
+		SecretKey aShared = crypto.deriveSharedSecret(bPub, aPair, true);
+		SecretKey bShared = crypto.deriveSharedSecret(aPub, bPair, false);
 		assertArrayEquals(aShared.getBytes(), bShared.getBytes());
 	}
-
-	@Test(expected = GeneralSecurityException.class)
-	public void testRejectsInvalidPublicKey() throws Exception {
-		KeyPair keyPair = crypto.generateAgreementKeyPair();
-		PublicKey invalid = new Curve25519PublicKey(new byte[32]);
-		crypto.deriveSharedSecret(SHARED_SECRET_LABEL, invalid, keyPair,
-				inputs);
-	}
-
-	@Test
-	public void testRfc7748TestVector() throws Exception {
-		// Private keys need to be clamped because curve25519-java does the
-		// clamping at key generation time, not multiplication time
-		byte[] aPriv = Curve25519KeyParser.clamp(fromHexString(ALICE_PRIVATE));
-		byte[] aPub = fromHexString(ALICE_PUBLIC);
-		byte[] bPriv = Curve25519KeyParser.clamp(fromHexString(BOB_PRIVATE));
-		byte[] bPub = fromHexString(BOB_PUBLIC);
-		byte[] sharedSecret = fromHexString(SHARED_SECRET);
-		Curve25519 curve25519 = Curve25519.getInstance("java");
-		assertArrayEquals(sharedSecret,
-				curve25519.calculateAgreement(aPub, bPriv));
-		assertArrayEquals(sharedSecret,
-				curve25519.calculateAgreement(bPub, aPriv));
-	}
 }