v0.37.0

- Use compact device list encoding when sending SSv2 messages. This is
  a client->server format change; the receiving side was added in
  v0.35.0.

- Add support for excluded recipients for SSv2 messages.

- Add GroupSendCredential.

- Speed up SSv2 message encryption by generating key material on
  multiple threads.

- Android+iOS: Fix SenderKeyDistributionMessage.getDistributionId(),
  which was producing garbage output. (Thanks for the report,
  @imb591!)

- Rust: Move ServiceId + ProtocolAddress to new libsignal-core crate
  (but re-exported through libsignal-protocol, so this is a
  non-breaking change). zkgroup no longer depends on
  libsignal-protocol.

- Fuzz test fixes related to pre_key_id and archived sessions count
  (thanks, @moodyjon!)

v0.36.1

- Update curve25519-dalek to 4.1.1
- Fix the server push response format in libsignal-net (no client
  impact)
- Java: Take in session list for sealed sender multiRecipientEncrypt

v0.36.0

- All: Add attestation constants for new SVR2 enclaves
- Android: Expose CDSI lookup APIs
- iOS: Adopt modern SignalCoreKit logging APIs

"SVR3" work is still experimental and should not be used yet.

v0.35.0

- (Rust, Java) Expose SSv2 message parsing in libsignal-server, along
  with support for compact device lists and excluded recipients. Send
  support will come in a future release.

- (All) Consistently pad encrypted usernames to 128 bytes

- (Node) Target ES2020 instead of ES2015.

- (Java) Improve Pair's equals, hashCode, and toString

- (Rust) Continued work on the still-experimental libsignal-net.

v0.34.0

zkgroup:
- Introduce zkgroup::{deserialize,serialize}
- Add a serialization benchmark
- Add PartialDefault to most zkcredential and zkgroup types

zkcredential:
- Add a benchmark for KeyPair::inverse_of
- Don't provide a default for KeyPair::G_a (a breaking API change in Rust)

Usernames:
- Allow generating a new link buffer with existing entropy (breaking API
  change in Rust, additive change for the clients)

libsignal-net:
- Add CDSI lookup function
- Add CDSI lookup bridge code for node
- Reconnect logic revision and tests

Other:
- Use the 64-bit curve25519-dalek backend even on 32-bit Android
- Implement PPSS for SVR3

v0.33.0

- BackupAuthCredential: a new zero-knowledge credential that will be
  used for experimenting with backups
- WebP sanitizer: lightly validate webp files before display. Not
  exposed on iOS at this time.

- zkcredential KeyPair and PublicKey traits have been replaced by
  concrete types with a "domain" generic parameter marker type. A number
  of bespoke zkgroup types were converted to use these zkcredential
  types. This is a breaking change if you were directly using
  zkcredential, *or* if you were serializing zkgroup types using
  something other than `bincode`.
- Kyber768 support in libsignal-protocol has been put behind a feature
  flag, along with the current revision of ML-KEM 1024 (the
  NIST-standard version of Kyber1024).

- Added libsignal-net, a new crate for talking to the Signal chat
  service. This crate is still in flux and nothing has been exposed to
  apps yet; using it at this time is not recommended.
- Added a currently-unused `bridge_io` macro for truly asynchronous
  operations through the Java and Swift bridges.
- libsignal-protocol's KEM APIs now report the correct value for a
  shared secret length (it already generated those secrets correctly).
  The reported length was never used, so no bugs were exposed, but it's
  nonetheless worth fixing. Thanks, @mseewer!

- When sending a message on an unacknowledged session, the creation
  timestamp for that session will now be logged.
- Some overly noisy logs about session archiving have been cleaned up;
  receiving a pre-key message will no longer always log about archiving
  a session.
- Debug-level Rust logs are now compiled out of the Java, Swift, and
  TypeScript release builds.

- Updated to a new version of `boring` and BoringSSL.
- Updated to a newer version of `linkme` to fix issues in the Node build
  on Windows.

v0.32.1

- Updated jni dependency to 0.21 and addressed incompatibilities.
- Updated to Rust nightly-2023-09-01
- Implemented new logic for incremental mac chunk size.

v0.32.0

Protocol:
- Check expiration in hasSenderChain/hasCurrentState
- Make the "base key" part of the SessionState constructor
- Record the timestamp when a pre-key bundle is processed
- Remove SessionRecord.fromSingleSessionState
- Simplify key derivation for multi-recipient sealed sender
- Throw SessionNotFound for an expired unacknowledged session
- Improve incremental MAC API

Java:
- Do not close the inner stream in IncrementalMacOutputStream
- Implement readBuffer missing from older Androids
- Piggyback on base.clean Gradle task
- Add Automatic-Module-Name attribute to jar manifest
- Address javadoc warnings
- Automate the Android and Server publishing to Sonatype
- Adopt Nexus plugin to automatically close releases on Sonatype
- Set version and group info in the root project
- Set up and apply code formatting

Dependencies:
- Update all the RustCrypto crates
- Update snow to 0.9.3
- Update x25519-dalek to v2.0.0

v0.31.0

- Update dependencies following curve25519-dalek 4.0.0 release

v0.30.2

- Add {Aci,Pni}.parseFromServiceId{String,Binary}
- Add senderAci() to SenderCertificate and DecryptionResult
- java: Prefer checked exceptions for ServiceId parsing methods
- iOS: Bump deployment target to iOS 13