Cuckaroo validation implementation (#1911)

* First pass at iterative siphash
* Generalizing our siphash24 implementation slightly to make it friendlier to repeated hashing
* Block siphash algorithm, Cuckaroo placeholder
* Cuckaroo validator, still needs to be tested with vectors from the @tromp implementation
* Working cuckaroo validation with test vectors for cuckaroo19, will add cuckaroo29 vectors when a lean or mean implementation can find some solutions

core/src/pow/cuckaroo.rs

@@ -0,0 +1,165 @@
+// Copyright 2018 The Grin Developers
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Implementation of Cuckaroo Cycle, based on Cuckoo Cycle designed by
+//! John Tromp. Ported to Rust from https://github.com/tromp/cuckoo.
+//!
+//! Cuckaroo is an ASIC-Resistant variation of Cuckoo (CuckARoo) that's
+//! aimed at making the lean mining mode of Cuckoo extremely ineffective.
+//! It is one of the 2 proof of works used in Grin (the other one being the
+//! more ASIC friendly Cuckatoo).
+//!
+//! In Cuckaroo, edges are calculated by repeatedly hashing the seeds to
+//! obtain blocks of values. Nodes are then extracted from those edges.
+
+use pow::common::{CuckooParams, EdgeType};
+use pow::error::{Error, ErrorKind};
+use pow::siphash::siphash_block;
+use pow::{PoWContext, Proof};
+
+/// Cuckatoo cycle context. Only includes the verifier for now.
+pub struct CuckarooContext<T>
+where
+	T: EdgeType,
+{
+	params: CuckooParams<T>,
+}
+
+impl<T> PoWContext<T> for CuckarooContext<T>
+where
+	T: EdgeType,
+{
+	fn new(edge_bits: u8, proof_size: usize, _max_sols: u32) -> Result<Box<Self>, Error> {
+		let params = CuckooParams::new(edge_bits, proof_size)?;
+		Ok(Box::new(CuckarooContext { params }))
+	}
+
+	fn set_header_nonce(
+		&mut self,
+		header: Vec<u8>,
+		nonce: Option<u32>,
+		_solve: bool,
+	) -> Result<(), Error> {
+		self.params.reset_header_nonce(header, nonce)
+	}
+
+	fn find_cycles(&mut self) -> Result<Vec<Proof>, Error> {
+		unimplemented!()
+	}
+
+	fn verify(&self, proof: &Proof) -> Result<(), Error> {
+		let nonces = &proof.nonces;
+		let mut uvs = vec![0u64; 2 * proof.proof_size()];
+		let mut xor0: u64 = 0;
+		let mut xor1: u64 = 0;
+
+		for n in 0..proof.proof_size() {
+			if nonces[n] > to_u64!(self.params.edge_mask) {
+				return Err(ErrorKind::Verification("edge too big".to_owned()))?;
+			}
+			if n > 0 && nonces[n] <= nonces[n - 1] {
+				return Err(ErrorKind::Verification("edges not ascending".to_owned()))?;
+			}
+			let edge = to_edge!(siphash_block(&self.params.siphash_keys, nonces[n]));
+			uvs[2 * n] = to_u64!(edge & self.params.edge_mask);
+			uvs[2 * n + 1] = to_u64!((edge >> 32) & self.params.edge_mask);
+			xor0 ^= uvs[2 * n];
+			xor1 ^= uvs[2 * n + 1];
+		}
+		if xor0 | xor1 != 0 {
+			return Err(ErrorKind::Verification(
+				"endpoints don't match up".to_owned(),
+			))?;
+		}
+		let mut n = 0;
+		let mut i = 0;
+		let mut j;
+		loop {
+			// follow cycle
+			j = i;
+			let mut k = j;
+			loop {
+				k = (k + 2) % (2 * self.params.proof_size);
+				if k == i {
+					break;
+				}
+				if uvs[k] == uvs[i] {
+					// find other edge endpoint matching one at i
+					if j != i {
+						return Err(ErrorKind::Verification("branch in cycle".to_owned()))?;
+					}
+					j = k;
+				}
+			}
+			if j == i {
+				return Err(ErrorKind::Verification("cycle dead ends".to_owned()))?;
+			}
+			i = j ^ 1;
+			n += 1;
+			if i == 0 {
+				break;
+			}
+		}
+		if n == self.params.proof_size {
+			Ok(())
+		} else {
+			Err(ErrorKind::Verification("cycle too short".to_owned()))?
+		}
+	}
+}
+
+#[cfg(test)]
+mod test {
+	use super::*;
+
+	// empty header, nonce 71
+	static V1_19_HASH: [u64; 4] = [
+		0x23796193872092ea,
+		0xf1017d8a68c4b745,
+		0xd312bd53d2cd307b,
+		0x840acce5833ddc52,
+	];
+	static V1_19_SOL: [u64; 42] = [
+		0x45e9, 0x6a59, 0xf1ad, 0x10ef7, 0x129e8, 0x13e58, 0x17936, 0x19f7f, 0x208df, 0x23704,
+		0x24564, 0x27e64, 0x2b828, 0x2bb41, 0x2ffc0, 0x304c5, 0x31f2a, 0x347de, 0x39686, 0x3ab6c,
+		0x429ad, 0x45254, 0x49200, 0x4f8f8, 0x5697f, 0x57ad1, 0x5dd47, 0x607f8, 0x66199, 0x686c7,
+		0x6d5f3, 0x6da7a, 0x6dbdf, 0x6f6bf, 0x6ffbb, 0x7580e, 0x78594, 0x785ac, 0x78b1d, 0x7b80d,
+		0x7c11c, 0x7da35,
+	];
+
+	// empty header, nonce 143
+	static V2_19_HASH: [u64; 4] = [
+		0x6a54f2a35ab7e976,
+		0x68818717ff5cd30e,
+		0x9c14260c1bdbaf7,
+		0xea5b4cd5d0de3cf0,
+	];
+	static V2_19_SOL: [u64; 42] = [
+		0x2b1e, 0x67d3, 0xb041, 0xb289, 0xc6c3, 0xd31e, 0xd75c, 0x111d7, 0x145aa, 0x1712e, 0x1a3af,
+		0x1ecc5, 0x206b1, 0x2a55c, 0x2a9cd, 0x2b67e, 0x321d8, 0x35dde, 0x3721e, 0x37ac0, 0x39edb,
+		0x3b80b, 0x3fc79, 0x4148b, 0x42a48, 0x44395, 0x4bbc9, 0x4f775, 0x515c5, 0x56f97, 0x5aa10,
+		0x5bc1b, 0x5c56d, 0x5d552, 0x60a2e, 0x66646, 0x6c3aa, 0x70709, 0x71d13, 0x762a3, 0x79d88,
+		0x7e3ae,
+	];
+
+	#[test]
+	fn cuckaroo19_vectors() {
+		let mut ctx = CuckarooContext::<u64>::new(19, 42, 0).unwrap();
+		ctx.params.siphash_keys = V1_19_HASH.clone();
+		assert!(ctx.verify(&Proof::new(V1_19_SOL.to_vec().clone())).is_ok());
+		ctx.params.siphash_keys = V2_19_HASH.clone();
+		assert!(ctx.verify(&Proof::new(V2_19_SOL.to_vec().clone())).is_ok());
+		assert!(ctx.verify(&Proof::zero(42)).is_err());
+	}
+}

core/src/pow/cuckoo.rs

@@ -14,8 +14,8 @@
 
 //! Implementation of Cuckoo Cycle designed by John Tromp. Ported to Rust from
 //! the C and Java code at https://github.com/tromp/cuckoo. Note that only the
-//! simple miner is included, mostly for testing purposes. John Tromp's Tomato
-//! miner will be much faster in almost every environment.
+//! simple miner is included, mostly for testing purposes. John Tromp's miners
+//! will be much faster in almost every environment.
 
 use pow::common::{CuckooParams, Edge, EdgeType};
 use pow::error::{Error, ErrorKind};

core/src/pow/mod.rs

@@ -38,6 +38,7 @@ extern crate grin_util as util;
 
 #[macro_use]
 mod common;
+pub mod cuckaroo;
 pub mod cuckatoo;
 pub mod cuckoo;
 mod error;

core/src/pow/siphash.rs

@@ -15,62 +15,110 @@
 //! Simple implementation of the siphash 2-4 hashing function from
 //! Jean-Philippe Aumasson and Daniel J. Bernstein.
 
-/// Implements siphash 2-4 specialized for a 4 u64 array key and a u64 nonce
+// Parameters to the siphash block algorithm. Used by Cuckaroo but can be
+// seen as a generic way to derive a hash within a block of them.
+const SIPHASH_BLOCK_BITS: u64 = 6;
+const SIPHASH_BLOCK_SIZE: u64 = 1 << SIPHASH_BLOCK_BITS;
+const SIPHASH_BLOCK_MASK: u64 = SIPHASH_BLOCK_SIZE - 1;
+
+// helper macro for left rotation
+macro_rules! rotl {
+	($num:expr, $shift:expr) => {
+		$num = ($num << $shift) | ($num >> (64 - $shift));
+	};
+}
+
+/// Utility function to compute a single siphash 2-4 based on a seed and
+/// a nonce
 pub fn siphash24(v: &[u64; 4], nonce: u64) -> u64 {
-	let mut v0 = v[0];
-	let mut v1 = v[1];
-	let mut v2 = v[2];
-	let mut v3 = v[3] ^ nonce;
+	let mut siphash = SipHash24::new(v);
+	siphash.hash(nonce);
+	siphash.digest()
+}
 
-	// macro for left rotation
-	macro_rules! rotl {
-		($num:ident, $shift:expr) => {
-			$num = ($num << $shift) | ($num >> (64 - $shift));
-		};
+/// Builds a block of siphash values by repeatedly hashing from the nonce
+/// truncated to its closest block start, up to the end of the block. Returns
+/// the resulting hash at the nonce's position.
+pub fn siphash_block(v: &[u64; 4], nonce: u64) -> u64 {
+	let mut block = Vec::with_capacity(SIPHASH_BLOCK_SIZE as usize);
+	// beginning of the block of hashes
+	let nonce0 = nonce & !SIPHASH_BLOCK_MASK;
+
+	// fill up our block with repeated hashes
+	let mut siphash = SipHash24::new(v);
+	for n in nonce0..(nonce0 + SIPHASH_BLOCK_SIZE) {
+		siphash.hash(n);
+		block.push(siphash.digest());
+	}
+	assert_eq!(block.len(), SIPHASH_BLOCK_SIZE as usize);
+
+	// xor all-but-last with last value to avoid shortcuts in computing block
+	let last = block[SIPHASH_BLOCK_MASK as usize];
+	for n in 0..SIPHASH_BLOCK_MASK {
+		block[n as usize] ^= last;
+	}
+	return block[(nonce & SIPHASH_BLOCK_MASK) as usize];
+}
+
+/// Implements siphash 2-4 specialized for a 4 u64 array key and a u64 nonce
+/// that can be used for a single or multiple repeated hashing.
+///
+/// The siphash structure is represented by a vector of four 64-bits words
+/// that we simply reference by their position. A hashing round consists of
+/// a series of arithmetic operations on those words, while the resulting
+/// hash digest is an xor of xor on them.
+///
+/// Note that this implementation is only secure if it's already fed words
+/// output from a previous hash function (in our case blake2).
+pub struct SipHash24(u64, u64, u64, u64);
+
+impl SipHash24 {
+	/// Create a new siphash context
+	pub fn new(v: &[u64; 4]) -> SipHash24 {
+		SipHash24(v[0], v[1], v[2], v[3])
 	}
 
-	// macro for a single siphash round
-	macro_rules! round {
-		() => {
-			v0 = v0.wrapping_add(v1);
-			v2 = v2.wrapping_add(v3);
-			rotl!(v1, 13);
-			rotl!(v3, 16);
-			v1 ^= v0;
-			v3 ^= v2;
-			rotl!(v0, 32);
-			v2 = v2.wrapping_add(v1);
-			v0 = v0.wrapping_add(v3);
-			rotl!(v1, 17);
-			rotl!(v3, 21);
-			v1 ^= v2;
-			v3 ^= v0;
-			rotl!(v2, 32);
-		};
+	/// One siphash24 hashing, consisting of 2 and then 4 rounds
+	pub fn hash(&mut self, nonce: u64) {
+		self.3 ^= nonce;
+		self.round();
+		self.round();
+
+		self.0 ^= nonce;
+		self.2 ^= 0xff;
+
+		for _ in 0..4 {
+			self.round();
+		}
 	}
 
-	// 2 rounds
-	round!();
-	round!();
+	/// Resulting hash digest
+	pub fn digest(&self) -> u64 {
+		(self.0 ^ self.1) ^ (self.2 ^ self.3)
+	}
 
-	v0 ^= nonce;
-	v2 ^= 0xff;
-
-	// and then 4 rounds, hence siphash 2-4
-	round!();
-	round!();
-	round!();
-	round!();
-
-	v0 ^ v1 ^ v2 ^ v3
+	fn round(&mut self) {
+		self.0 = self.0.wrapping_add(self.1);
+		self.2 = self.2.wrapping_add(self.3);
+		rotl!(self.1, 13);
+		rotl!(self.3, 16);
+		self.1 ^= self.0;
+		self.3 ^= self.2;
+		rotl!(self.0, 32);
+		self.2 = self.2.wrapping_add(self.1);
+		self.0 = self.0.wrapping_add(self.3);
+		rotl!(self.1, 17);
+		rotl!(self.3, 21);
+		self.1 ^= self.2;
+		self.3 ^= self.0;
+		rotl!(self.2, 32);
+	}
 }
 
 #[cfg(test)]
 mod test {
 	use super::*;
 
-	/// Some test vectors hoisted from the Java implementation (adjusted from
-	/// the fact that the Java impl uses a long, aka a signed 64 bits number).
 	#[test]
 	fn hash_some() {
 		assert_eq!(siphash24(&[1, 2, 3, 4], 10), 928382149599306901);
@@ -78,4 +126,11 @@ mod test {
 		assert_eq!(siphash24(&[9, 7, 6, 7], 12), 1305683875471634734);
 		assert_eq!(siphash24(&[9, 7, 6, 7], 10), 11589833042187638814);
 	}
+
+	#[test]
+	fn hash_block() {
+		assert_eq!(siphash_block(&[1, 2, 3, 4], 10), 1182162244994096396);
+		assert_eq!(siphash_block(&[1, 2, 3, 4], 123), 11303676240481718781);
+		assert_eq!(siphash_block(&[9, 7, 6, 7], 12), 4886136884237259030);
+	}
 }