cuprate/cryptonight/src/hash_v2.rs
Dmitry Holodov 00bdd6ffaa
cryptonight in pure Rust (#271)
* removed FORCE_USE_HEAP to from c code

* removed unused headers

* simplifying C code to better understand it

* more c code simplifications

* removed conditional code for the v4 register size

* got one version of keccak working

* not so important hash_process unwound

* got keccak working using the sha3 lib

* hash state unions created

* slow hash through VARIANT1_PORTABLE_INIT is working

* variant 2 init working

* ported version of random_math_init compiling, but not yet passing tests

* fixed hash algorithm, tests working

* formatting

* more macro reduction

* monero AES working in Rust

* fixed AES key expansion expected key size

* first 75% of slow hash converted and working correctly

* adjusted key format for aesb_single_round

* converted some macros to functions

* variant2_integer_math working with test cases

* broke sqrt out of variant2_integer_math for code coverage

* variant2_portable_shuffle_add working with unit tests

* added skein and jh hashes

* 524287 iteration loop producing correct results

* all tests working in Rust

* subarray macros added

* aes simplifications

* code cleanups

* code cleanups part 2

* removed unused blake C code as prep for port to rust

* original blake algorithm in pure rust is working

* converted macro in compress to a lamda

* added module documentation for blake256

* Gave Blake256 a Digest trait

* adding more documentation

* more documentation and cleanup

* more slow hash tests

* removed C code

* misc refactoring

* fix

* lint fix

* additional linting

* downgraded deps to latest stable versions

* made thiserror a workspace dep

* removed commented dead code

* lint fixes

* fixed lint issues in test code

* limited util macro scopes to the crate

* Reformatted dependencies using:
group_imports = "StdExternalCrate"
reorder_modules = true
reorder_impl_items = true
imports_granularity = "crate"

* converted util macros to inline functions

* hex dep comes from workspace

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* panic subarray tests

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* updates to doc comments

* removes extra parens in hash_v4.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* early return to remove indentation in hash_v2.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* gropuing expect annotations in hash_v2.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* use matches macro to simplify code hash_v4.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* remove extra paren in hash_v4.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* eary return to remove indentation in hash_v2.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* minor comment fixes

* early loop continue to remove indentation in hash_v4.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* convert non-capturing llamda to fn in hash_v2.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* another lamda to fn conversion in hash_v2.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* llamda to fn conversion in cnaes.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* 2nd llamda to fn conversion in cnaes.rs

Co-authored-by: hinto-janai <hinto.janai@protonmail.com>

* test lamdas in lib.rs are now functions

* round_fwd optimized

* added myself as an author

* fixed place that needed wrapping_add

* clippy allow->expect change needed after merging master

* moving state to u128

* round_fwd changes sped up fuzzer by 10%

* 1st working version using u128 for long state

* text converted to u128 array

* removed LongState union

* simplified long_state's initialization

* aes round keys now use u128

* CRYPTONIGHT_SBOX is now u32 instead of u8

* cleaner hash_v4 loop unrolling semantics (same peformance)

* switched to a better maintained loop unrolling macro
2024-10-08 16:03:56 +01:00

470 lines
15 KiB
Rust

use crate::slow_hash::{Variant, MEMORY_BLOCKS};
const U64_MASK: u128 = u64::MAX as u128;
/// Original C code:
/// <https://github.com/monero-project/monero/blob/v0.18.3.4/src/crypto/slow-hash.c#L217-L254>
/// If we kept the C code organization, this function would be in `slow_hash.rs`, but it's
/// here in the rust code to keep the `slow_hash.rs` file size manageable.
pub(crate) fn variant2_shuffle_add(
c1: &mut u128,
a: u128,
b: &[u128; 2],
long_state: &mut [u128; MEMORY_BLOCKS],
offset: usize,
variant: Variant,
) {
if !matches!(variant, Variant::V2 | Variant::R) {
return;
}
let chunk1_start = offset ^ 0x1;
let chunk2_start = offset ^ 0x2;
let chunk3_start = offset ^ 0x3;
let chunk1 = long_state[chunk1_start];
let chunk2 = long_state[chunk2_start];
let chunk3 = long_state[chunk3_start];
let chunk1_old = chunk1;
let chunk2_old = chunk2;
let chunk3_old = chunk3;
let b1 = b[1];
let chunk1 = &mut long_state[chunk1_start];
let sum1 = chunk3_old.wrapping_add(b1) & U64_MASK;
let sum2 = (chunk3_old >> 64).wrapping_add(b1 >> 64) & U64_MASK;
*chunk1 = sum2 << 64 | sum1; // TODO remove some shifting above
let chunk3 = &mut long_state[chunk3_start];
let sum1 = chunk2_old.wrapping_add(a) & U64_MASK;
let sum2 = (chunk2_old >> 64).wrapping_add(a >> 64) & U64_MASK;
*chunk3 = sum2 << 64 | sum1;
let b0 = b[0];
let chunk2 = &mut long_state[chunk2_start];
let sum1 = chunk1_old.wrapping_add(b0) & U64_MASK;
let sum2 = (chunk1_old >> 64).wrapping_add(b0 >> 64) & U64_MASK;
*chunk2 = sum2 << 64 | sum1;
if variant == Variant::R {
*c1 ^= chunk1_old ^ chunk2_old ^ chunk3_old;
}
}
#[expect(
clippy::cast_sign_loss,
clippy::cast_precision_loss,
clippy::cast_possible_truncation
)]
pub(crate) fn variant2_integer_math_sqrt(sqrt_input: u64) -> u64 {
// Get an approximation using floating point math
let mut sqrt_result =
((sqrt_input as f64 + 18_446_744_073_709_552_000.0).sqrt() * 2.0 - 8589934592.0) as u64;
// Fixup the edge cases to get the exact integer result. For more information,
// see: https://github.com/monero-project/monero/blob/v0.18.3.3/src/crypto/variant2_int_sqrt.h#L65-L152
let sqrt_div2 = sqrt_result >> 1;
let lsb = sqrt_result & 1;
let r2 = sqrt_div2
.wrapping_mul(sqrt_div2 + lsb)
.wrapping_add(sqrt_result << 32);
if r2.wrapping_add(lsb) > sqrt_input {
sqrt_result = sqrt_result.wrapping_sub(1);
}
if r2.wrapping_add(1 << 32) < sqrt_input.wrapping_sub(sqrt_div2) {
// Not sure that this is possible. I tried writing a test program
// to search subsets of u64 for a value that can trigger this
// branch, but couldn't find anything. The Go implementation came
// to the same conclusion:
// https://github.com/Equim-chan/cryptonight/blob/v0.3.0/arith_ref.go#L39-L45
sqrt_result = sqrt_result.wrapping_add(1);
}
sqrt_result
}
/// Original C code:
/// <https://github.com/monero-project/monero/blob/v0.18.3.4/src/crypto/slow-hash.c#L277-L283>
#[expect(clippy::cast_possible_truncation)]
pub(crate) fn variant2_integer_math(
c2: &mut u128,
c1: u128,
division_result: &mut u64,
sqrt_result: &mut u64,
variant: Variant,
) {
const U32_MASK: u64 = u32::MAX as u64;
if variant != Variant::V2 {
return;
}
let tmpx = *division_result ^ (*sqrt_result << 32);
*c2 ^= u128::from(tmpx);
let c1_low = c1 as u64;
let dividend = (c1 >> 64) as u64;
let divisor = ((c1_low.wrapping_add((*sqrt_result << 1) & U32_MASK)) | 0x80000001) & U32_MASK;
*division_result = ((dividend / divisor) & U32_MASK).wrapping_add((dividend % divisor) << 32);
let sqrt_input = c1_low.wrapping_add(*division_result);
*sqrt_result = variant2_integer_math_sqrt(sqrt_input);
}
#[cfg(test)]
mod tests {
use digest::Digest;
use groestl::Groestl256;
use super::*;
use crate::{
cnaes::AES_BLOCK_SIZE,
slow_hash::MEMORY_BLOCKS,
util::{hex_to_array, subarray_mut},
};
#[test]
fn test_variant2_integer_math() {
fn test(
c2_hex: &str,
c1_hex: &str,
division_result: u64,
sqrt_result: u64,
c2_hex_end: &str,
division_result_end: u64,
sqrt_result_end: u64,
) {
let mut c2 = u128::from_le_bytes(hex_to_array(c2_hex));
let c1 = u128::from_le_bytes(hex_to_array(c1_hex));
let mut division_result = division_result;
let mut sqrt_result = sqrt_result;
variant2_integer_math(
&mut c2,
c1,
&mut division_result,
&mut sqrt_result,
Variant::V2,
);
assert_eq!(hex::encode(c2.to_le_bytes()), c2_hex_end);
assert_eq!(division_result, division_result_end);
assert_eq!(sqrt_result, sqrt_result_end);
}
test(
"00000000000000000000000000000000",
"0100000000000000ffffffffffffffff",
u64::MAX,
u64::MAX,
"ffffffff000000000000000000000000",
1,
0,
);
test(
"8b4d610801fe2049741c4cf1a11912d5",
"ef9d5925ad73f044f6310bce80f333a4",
1992885167645223034,
15156498822412360757,
"f125c247b4040b0e741c4cf1a11912d5",
11701596267494179432,
3261805857,
);
test(
"540ac7dbbddf5b93fdc90f999408b7ad",
"10d2c1fdcbf7246e8623a3d946bdf422",
6226440187041759132,
1708636566,
"c83510b077a4e4a0fdc90f999408b7ad",
6478148604080708997,
2875078897,
);
test(
"0df28c3c3570ae3b68dc9d6c5a486ed7",
"a5fba99aa63fa032acf1bd65ff4df3f2",
11107069037757228366,
2924318811,
"4397ce171fdcc70f68dc9d6c5a486ed7",
7549089838000449301,
2299293038,
);
test(
"bfe14f97a968a35d0dcd6890a03c2913",
"d4a80e16ad64e3a0624a795c7b349c8a",
15584044376391133794,
276486141,
"dd4bf8759e1a9c950dcd6890a03c2913",
4771913259875991617,
3210383690,
);
test(
"820692e47779a9aabf0621e52a142468",
"df61b75f65251ee61828166e565336a9",
3269677112081011360,
1493829760,
"2254426ff54bc3debf0621e52a142468",
2626216843989114230,
175440206,
);
test(
"0b364e61de218e00e83c4073b39daa2e",
"cc463d4543eb430d08efedf2be86e322",
7096668609104405526,
713261042,
"1d521b6fac307148e83c4073b39daa2e",
8234613052379859783,
1924288792,
);
test(
"bd8fff861f6315c2be812b64cbdcf646",
"38d1e323d9dc282fa5e68f2ecbdcb950",
9545374795048279136,
271106137,
"dd532ef48b584a56be812b64cbdcf646",
2790373411402251888,
1336862722,
);
test(
"ed57e73448f357bf04dc831d5e8fd848",
"a5dcd0971e6ded60d4d98c03cd8ba205",
5991074580974163125,
2246952057,
"580331e9a7a59e6904dc831d5e8fd848",
7395390641079862703,
2868947253,
);
test(
"07ea0ffc6e182a7e97853f82e459d625",
"7e403d950f4adc97b90140875c33d65f",
8836830558353968711,
1962375668,
"40a40e3f08db7f7097853f82e459d625",
5478469695216926448,
3219877666,
);
test(
"b77688d600a356077021e2333ee3def4",
"7a9f061760287a69b57f365163fb9dac",
3127636279441542418,
1585025819,
"a5bb34d8bba848727021e2333ee3def4",
3683326568856788118,
2315202244,
);
test(
"a246a7f62b7e3d9a0b5ac66166bfcba3",
"23329476afdbd46d3be9d3ccc9011c11",
12123559059253265496,
819016365,
"fac2e5d23dc4d3020b5ac66166bfcba3",
4214751652441358299,
2469122821,
);
test(
"3e1abb8109c688405cd6c866cbdb3e13",
"b4c10bf5e06c069928afa173f62d5017",
7368515032603121941,
2312559799,
"2b43d451df231caf5cd6c866cbdb3e13",
1324536149240623108,
2509236669,
);
test(
"a31260db7c73f249b5fbc182ae7fcc8e",
"b4214755b0003e4c82d03f80d8a06bed",
1904095218141907119,
92928147,
"0c5abeec6c3f1756b5fbc182ae7fcc8e",
9883090335304272258,
3041688469,
);
test(
"e3d0bc3e619f577a1eea5adba205e494",
"cd8040848aae39104c310c1fa0eed9b8",
4873400164336079541,
2436984787,
"56c22935133bb7a81eea5adba205e494",
8226478499779865232,
1963241245,
);
test(
"f22ac244fd17cf5e3ec21bece2581a2d",
"785152f272ffa9514ef2ae0bed5cbaa7",
6386228481616770937,
1413583152,
"8bddfda13af62e523ec21bece2581a2d",
9654977853452823978,
3069608655,
);
test(
"37b3921988d9df1b38b04dc1db01a41b",
"054b87f38d203eddb16d458048f3b97b",
5592059432235016971,
2670380708,
"3c10afec40e36fc938b04dc1db01a41b",
2475375116655310772,
3553266751,
);
test(
"cfd4afb021e526d9cbd4720cc47c4ce2",
"a2e3e7fe936c2b38e3708965f2dfc586",
11958325643570725319,
825185219,
"0895d52d3237fd4dcbd4720cc47c4ce2",
2253955666499039951,
1359567468,
);
test(
"55d2ea9570994bc0aeaf6a3189bf0b4a",
"9d102c34665382dfd36e39a67e07b8aa",
10171590341391886242,
541577843,
"f7f59fbe85f4246daeaf6a3189bf0b4a",
6907584596503955220,
1004462004,
);
test(
"bf32b60d6bbaa87cececd577f2ad15d8",
"9a8471b2b72e9d39cd2d2cb124aa270a",
9778648685358392468,
469385479,
"2b9696774746e6e0ececd577f2ad15d8",
4910280747850874346,
1899784302,
);
test(
"d70ac5de7a390e2a735726324d0b52b5",
"6cf5b75b005599047972995ffbe34101",
2318211298357120319,
1093372020,
"e8871a66ea410e4b735726324d0b52b5",
14587709575956469579,
2962700286,
);
test(
"412f463e5143eace451dcb2a2efd8022",
"38ed251c7915236b2aca4ea995b861c9",
10458537212399393571,
621387691,
"623403e9d4ecc77a451dcb2a2efd8022",
12914179687381327414,
495045866,
);
}
#[test]
fn test_variant2_integer_math_sqrt() {
// Edge case values taken from here:
// https://github.com/monero-project/monero/blob/v0.18.3.3/src/crypto/variant2_int_sqrt.h#L33-L43
let test_cases = [
(0, 0),
(1 << 32, 0),
((1 << 32) + 1, 1),
(1 << 50, 262140),
((1 << 55) + 20963331, 8384515),
((1 << 55) + 20963332, 8384516),
((1 << 62) + 26599786, 1013904242),
((1 << 62) + 26599787, 1013904243),
(u64::MAX, 3558067407),
];
for &(input, expected) in &test_cases {
assert_eq!(
variant2_integer_math_sqrt(input),
expected,
"input = {input}"
);
}
}
#[test]
fn test_variant2_shuffle_add() {
#[expect(clippy::cast_possible_truncation)]
fn test(
c1_hex: &str,
a_hex: &str,
b_hex: &str,
offset: usize,
variant: Variant,
c1_hex_end: &str,
long_state_end_hash: &str,
) {
let mut c1 = u128::from_le_bytes(hex_to_array(c1_hex));
let a = u128::from_le_bytes(hex_to_array(a_hex));
let b: [u128; 2] = [
u128::from_le_bytes(hex_to_array(&b_hex[0..AES_BLOCK_SIZE * 2])),
u128::from_le_bytes(hex_to_array(&b_hex[AES_BLOCK_SIZE * 2..])),
];
// Every byte of long_state memory is initialized with it's offset index mod 256
// when the u128 blocks are converted to bytes in native endian format.
let mut long_state: Vec<u128> = Vec::with_capacity(MEMORY_BLOCKS);
for i in 0..long_state.capacity() {
let mut block = [0_u8; AES_BLOCK_SIZE];
for (j, byte) in block.iter_mut().enumerate() {
*byte = (i * AES_BLOCK_SIZE + j) as u8;
}
long_state.push(u128::from_le_bytes(block));
}
variant2_shuffle_add(
&mut c1,
a,
&b,
subarray_mut(&mut long_state, 0),
offset,
variant,
);
assert_eq!(hex::encode(c1.to_le_bytes()), c1_hex_end);
let mut hash = Groestl256::new();
for block in long_state {
hash.update(block.to_le_bytes());
}
let hash = hex::encode(hash.finalize().as_slice());
assert_eq!(hash, long_state_end_hash);
}
test(
"d7143e3b6ffdeae4b2ceea30e9889c8a",
"875fa34de3af48f15638bad52581ef4c",
"b07d6f24f19434289b305525f094d8d7bd9d3c9bc956ac081d6186432a282a36",
221056 / AES_BLOCK_SIZE,
Variant::R,
"5795bcb8eb786c633a4760bb65051205",
"26c32c4c2eeec340d62b88f5261d1a264c74240c2f8424c6e7101cf490e5772e",
);
test(
"c7d6fe95ffd8d902d2cfc1883f7a2bc3",
"bceb9d8cb71c2ac85c24129c94708e17",
"4b3a589c187e26bea487b19ea36eb19e8369f4825642eb467c75bf07466b87ba",
1960880 / AES_BLOCK_SIZE,
Variant::V2,
"c7d6fe95ffd8d902d2cfc1883f7a2bc3",
"2d4ddadd0e53a02797c62bf37d11bb2de73e6769abd834a81c1262752176a024",
);
test(
"92ad41fc1596244e2e0f0bfed6555cef",
"d1f0337e48c4f53742cedd78b6b33b67",
"b17bce6c44e0f680aa0f0a28a4e3865b43cdd18644a383e7a9d2f17310e5b6aa",
1306832 / AES_BLOCK_SIZE,
Variant::R,
"427c932fc143f299f6d6d1250a888230",
"984440e0b9f77f1159f09b13d2d455292d5a9b4095037f4e8ca2a0ed982bee8f",
);
test(
"7e2c813d10f06d4b8af85389bc82eb18",
"74fc41829b88f55e62aec4749685b323",
"7a00c480b31d851359d78fad279dcd343bcd6a5f902ac0b55da656d735dbf329",
130160 / AES_BLOCK_SIZE,
Variant::V2,
"7e2c813d10f06d4b8af85389bc82eb18",
"6ccb68ee6fc38a6e91f546f62b8e1a64b5223a4a0ef916e6062188c4ee15a879",
);
}
}