From 66acee8f71cf78134aee39c00bb16fad891aeeaf Mon Sep 17 00:00:00 2001 From: Ignotus Peverell Date: Mon, 19 Nov 2018 11:03:58 -0800 Subject: [PATCH] Cuckaroo validation implementation (#1911) * First pass at iterative siphash * Generalizing our siphash24 implementation slightly to make it friendlier to repeated hashing * Block siphash algorithm, Cuckaroo placeholder * Cuckaroo validator, still needs to be tested with vectors from the @tromp implementation * Working cuckaroo validation with test vectors for cuckaroo19, will add cuckaroo29 vectors when a lean or mean implementation can find some solutions --- core/src/pow/cuckaroo.rs | 165 +++++++++++++++++++++++++++++++++++++++ core/src/pow/cuckoo.rs | 4 +- core/src/pow/mod.rs | 1 + core/src/pow/siphash.rs | 141 +++++++++++++++++++++++---------- 4 files changed, 266 insertions(+), 45 deletions(-) create mode 100644 core/src/pow/cuckaroo.rs diff --git a/core/src/pow/cuckaroo.rs b/core/src/pow/cuckaroo.rs new file mode 100644 index 000000000..5ac895896 --- /dev/null +++ b/core/src/pow/cuckaroo.rs @@ -0,0 +1,165 @@ +// Copyright 2018 The Grin Developers +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//! Implementation of Cuckaroo Cycle, based on Cuckoo Cycle designed by +//! John Tromp. Ported to Rust from https://github.com/tromp/cuckoo. +//! +//! Cuckaroo is an ASIC-Resistant variation of Cuckoo (CuckARoo) that's +//! aimed at making the lean mining mode of Cuckoo extremely ineffective. +//! It is one of the 2 proof of works used in Grin (the other one being the +//! more ASIC friendly Cuckatoo). +//! +//! In Cuckaroo, edges are calculated by repeatedly hashing the seeds to +//! obtain blocks of values. Nodes are then extracted from those edges. + +use pow::common::{CuckooParams, EdgeType}; +use pow::error::{Error, ErrorKind}; +use pow::siphash::siphash_block; +use pow::{PoWContext, Proof}; + +/// Cuckatoo cycle context. Only includes the verifier for now. +pub struct CuckarooContext +where + T: EdgeType, +{ + params: CuckooParams, +} + +impl PoWContext for CuckarooContext +where + T: EdgeType, +{ + fn new(edge_bits: u8, proof_size: usize, _max_sols: u32) -> Result, Error> { + let params = CuckooParams::new(edge_bits, proof_size)?; + Ok(Box::new(CuckarooContext { params })) + } + + fn set_header_nonce( + &mut self, + header: Vec, + nonce: Option, + _solve: bool, + ) -> Result<(), Error> { + self.params.reset_header_nonce(header, nonce) + } + + fn find_cycles(&mut self) -> Result, Error> { + unimplemented!() + } + + fn verify(&self, proof: &Proof) -> Result<(), Error> { + let nonces = &proof.nonces; + let mut uvs = vec![0u64; 2 * proof.proof_size()]; + let mut xor0: u64 = 0; + let mut xor1: u64 = 0; + + for n in 0..proof.proof_size() { + if nonces[n] > to_u64!(self.params.edge_mask) { + return Err(ErrorKind::Verification("edge too big".to_owned()))?; + } + if n > 0 && nonces[n] <= nonces[n - 1] { + return Err(ErrorKind::Verification("edges not ascending".to_owned()))?; + } + let edge = to_edge!(siphash_block(&self.params.siphash_keys, nonces[n])); + uvs[2 * n] = to_u64!(edge & self.params.edge_mask); + uvs[2 * n + 1] = to_u64!((edge >> 32) & self.params.edge_mask); + xor0 ^= uvs[2 * n]; + xor1 ^= uvs[2 * n + 1]; + } + if xor0 | xor1 != 0 { + return Err(ErrorKind::Verification( + "endpoints don't match up".to_owned(), + ))?; + } + let mut n = 0; + let mut i = 0; + let mut j; + loop { + // follow cycle + j = i; + let mut k = j; + loop { + k = (k + 2) % (2 * self.params.proof_size); + if k == i { + break; + } + if uvs[k] == uvs[i] { + // find other edge endpoint matching one at i + if j != i { + return Err(ErrorKind::Verification("branch in cycle".to_owned()))?; + } + j = k; + } + } + if j == i { + return Err(ErrorKind::Verification("cycle dead ends".to_owned()))?; + } + i = j ^ 1; + n += 1; + if i == 0 { + break; + } + } + if n == self.params.proof_size { + Ok(()) + } else { + Err(ErrorKind::Verification("cycle too short".to_owned()))? + } + } +} + +#[cfg(test)] +mod test { + use super::*; + + // empty header, nonce 71 + static V1_19_HASH: [u64; 4] = [ + 0x23796193872092ea, + 0xf1017d8a68c4b745, + 0xd312bd53d2cd307b, + 0x840acce5833ddc52, + ]; + static V1_19_SOL: [u64; 42] = [ + 0x45e9, 0x6a59, 0xf1ad, 0x10ef7, 0x129e8, 0x13e58, 0x17936, 0x19f7f, 0x208df, 0x23704, + 0x24564, 0x27e64, 0x2b828, 0x2bb41, 0x2ffc0, 0x304c5, 0x31f2a, 0x347de, 0x39686, 0x3ab6c, + 0x429ad, 0x45254, 0x49200, 0x4f8f8, 0x5697f, 0x57ad1, 0x5dd47, 0x607f8, 0x66199, 0x686c7, + 0x6d5f3, 0x6da7a, 0x6dbdf, 0x6f6bf, 0x6ffbb, 0x7580e, 0x78594, 0x785ac, 0x78b1d, 0x7b80d, + 0x7c11c, 0x7da35, + ]; + + // empty header, nonce 143 + static V2_19_HASH: [u64; 4] = [ + 0x6a54f2a35ab7e976, + 0x68818717ff5cd30e, + 0x9c14260c1bdbaf7, + 0xea5b4cd5d0de3cf0, + ]; + static V2_19_SOL: [u64; 42] = [ + 0x2b1e, 0x67d3, 0xb041, 0xb289, 0xc6c3, 0xd31e, 0xd75c, 0x111d7, 0x145aa, 0x1712e, 0x1a3af, + 0x1ecc5, 0x206b1, 0x2a55c, 0x2a9cd, 0x2b67e, 0x321d8, 0x35dde, 0x3721e, 0x37ac0, 0x39edb, + 0x3b80b, 0x3fc79, 0x4148b, 0x42a48, 0x44395, 0x4bbc9, 0x4f775, 0x515c5, 0x56f97, 0x5aa10, + 0x5bc1b, 0x5c56d, 0x5d552, 0x60a2e, 0x66646, 0x6c3aa, 0x70709, 0x71d13, 0x762a3, 0x79d88, + 0x7e3ae, + ]; + + #[test] + fn cuckaroo19_vectors() { + let mut ctx = CuckarooContext::::new(19, 42, 0).unwrap(); + ctx.params.siphash_keys = V1_19_HASH.clone(); + assert!(ctx.verify(&Proof::new(V1_19_SOL.to_vec().clone())).is_ok()); + ctx.params.siphash_keys = V2_19_HASH.clone(); + assert!(ctx.verify(&Proof::new(V2_19_SOL.to_vec().clone())).is_ok()); + assert!(ctx.verify(&Proof::zero(42)).is_err()); + } +} diff --git a/core/src/pow/cuckoo.rs b/core/src/pow/cuckoo.rs index c0140f87f..edce83f08 100644 --- a/core/src/pow/cuckoo.rs +++ b/core/src/pow/cuckoo.rs @@ -14,8 +14,8 @@ //! Implementation of Cuckoo Cycle designed by John Tromp. Ported to Rust from //! the C and Java code at https://github.com/tromp/cuckoo. Note that only the -//! simple miner is included, mostly for testing purposes. John Tromp's Tomato -//! miner will be much faster in almost every environment. +//! simple miner is included, mostly for testing purposes. John Tromp's miners +//! will be much faster in almost every environment. use pow::common::{CuckooParams, Edge, EdgeType}; use pow::error::{Error, ErrorKind}; diff --git a/core/src/pow/mod.rs b/core/src/pow/mod.rs index 1c1a1d4b2..3818a346f 100644 --- a/core/src/pow/mod.rs +++ b/core/src/pow/mod.rs @@ -38,6 +38,7 @@ extern crate grin_util as util; #[macro_use] mod common; +pub mod cuckaroo; pub mod cuckatoo; pub mod cuckoo; mod error; diff --git a/core/src/pow/siphash.rs b/core/src/pow/siphash.rs index 72ac38ce4..e560016d5 100644 --- a/core/src/pow/siphash.rs +++ b/core/src/pow/siphash.rs @@ -15,62 +15,110 @@ //! Simple implementation of the siphash 2-4 hashing function from //! Jean-Philippe Aumasson and Daniel J. Bernstein. -/// Implements siphash 2-4 specialized for a 4 u64 array key and a u64 nonce +// Parameters to the siphash block algorithm. Used by Cuckaroo but can be +// seen as a generic way to derive a hash within a block of them. +const SIPHASH_BLOCK_BITS: u64 = 6; +const SIPHASH_BLOCK_SIZE: u64 = 1 << SIPHASH_BLOCK_BITS; +const SIPHASH_BLOCK_MASK: u64 = SIPHASH_BLOCK_SIZE - 1; + +// helper macro for left rotation +macro_rules! rotl { + ($num:expr, $shift:expr) => { + $num = ($num << $shift) | ($num >> (64 - $shift)); + }; +} + +/// Utility function to compute a single siphash 2-4 based on a seed and +/// a nonce pub fn siphash24(v: &[u64; 4], nonce: u64) -> u64 { - let mut v0 = v[0]; - let mut v1 = v[1]; - let mut v2 = v[2]; - let mut v3 = v[3] ^ nonce; + let mut siphash = SipHash24::new(v); + siphash.hash(nonce); + siphash.digest() +} - // macro for left rotation - macro_rules! rotl { - ($num:ident, $shift:expr) => { - $num = ($num << $shift) | ($num >> (64 - $shift)); - }; +/// Builds a block of siphash values by repeatedly hashing from the nonce +/// truncated to its closest block start, up to the end of the block. Returns +/// the resulting hash at the nonce's position. +pub fn siphash_block(v: &[u64; 4], nonce: u64) -> u64 { + let mut block = Vec::with_capacity(SIPHASH_BLOCK_SIZE as usize); + // beginning of the block of hashes + let nonce0 = nonce & !SIPHASH_BLOCK_MASK; + + // fill up our block with repeated hashes + let mut siphash = SipHash24::new(v); + for n in nonce0..(nonce0 + SIPHASH_BLOCK_SIZE) { + siphash.hash(n); + block.push(siphash.digest()); + } + assert_eq!(block.len(), SIPHASH_BLOCK_SIZE as usize); + + // xor all-but-last with last value to avoid shortcuts in computing block + let last = block[SIPHASH_BLOCK_MASK as usize]; + for n in 0..SIPHASH_BLOCK_MASK { + block[n as usize] ^= last; + } + return block[(nonce & SIPHASH_BLOCK_MASK) as usize]; +} + +/// Implements siphash 2-4 specialized for a 4 u64 array key and a u64 nonce +/// that can be used for a single or multiple repeated hashing. +/// +/// The siphash structure is represented by a vector of four 64-bits words +/// that we simply reference by their position. A hashing round consists of +/// a series of arithmetic operations on those words, while the resulting +/// hash digest is an xor of xor on them. +/// +/// Note that this implementation is only secure if it's already fed words +/// output from a previous hash function (in our case blake2). +pub struct SipHash24(u64, u64, u64, u64); + +impl SipHash24 { + /// Create a new siphash context + pub fn new(v: &[u64; 4]) -> SipHash24 { + SipHash24(v[0], v[1], v[2], v[3]) } - // macro for a single siphash round - macro_rules! round { - () => { - v0 = v0.wrapping_add(v1); - v2 = v2.wrapping_add(v3); - rotl!(v1, 13); - rotl!(v3, 16); - v1 ^= v0; - v3 ^= v2; - rotl!(v0, 32); - v2 = v2.wrapping_add(v1); - v0 = v0.wrapping_add(v3); - rotl!(v1, 17); - rotl!(v3, 21); - v1 ^= v2; - v3 ^= v0; - rotl!(v2, 32); - }; + /// One siphash24 hashing, consisting of 2 and then 4 rounds + pub fn hash(&mut self, nonce: u64) { + self.3 ^= nonce; + self.round(); + self.round(); + + self.0 ^= nonce; + self.2 ^= 0xff; + + for _ in 0..4 { + self.round(); + } } - // 2 rounds - round!(); - round!(); + /// Resulting hash digest + pub fn digest(&self) -> u64 { + (self.0 ^ self.1) ^ (self.2 ^ self.3) + } - v0 ^= nonce; - v2 ^= 0xff; - - // and then 4 rounds, hence siphash 2-4 - round!(); - round!(); - round!(); - round!(); - - v0 ^ v1 ^ v2 ^ v3 + fn round(&mut self) { + self.0 = self.0.wrapping_add(self.1); + self.2 = self.2.wrapping_add(self.3); + rotl!(self.1, 13); + rotl!(self.3, 16); + self.1 ^= self.0; + self.3 ^= self.2; + rotl!(self.0, 32); + self.2 = self.2.wrapping_add(self.1); + self.0 = self.0.wrapping_add(self.3); + rotl!(self.1, 17); + rotl!(self.3, 21); + self.1 ^= self.2; + self.3 ^= self.0; + rotl!(self.2, 32); + } } #[cfg(test)] mod test { use super::*; - /// Some test vectors hoisted from the Java implementation (adjusted from - /// the fact that the Java impl uses a long, aka a signed 64 bits number). #[test] fn hash_some() { assert_eq!(siphash24(&[1, 2, 3, 4], 10), 928382149599306901); @@ -78,4 +126,11 @@ mod test { assert_eq!(siphash24(&[9, 7, 6, 7], 12), 1305683875471634734); assert_eq!(siphash24(&[9, 7, 6, 7], 10), 11589833042187638814); } + + #[test] + fn hash_block() { + assert_eq!(siphash_block(&[1, 2, 3, 4], 10), 1182162244994096396); + assert_eq!(siphash_block(&[1, 2, 3, 4], 123), 11303676240481718781); + assert_eq!(siphash_block(&[9, 7, 6, 7], 12), 4886136884237259030); + } }