Cryptonight variant 2 support + tests (zone117x#64)

Reference code: monero-project/monero#4218

Author: SChernykh

crypto/variant2_int_sqrt.h

@@ -0,0 +1,166 @@
+#ifndef VARIANT2_INT_SQRT_H
+#define VARIANT2_INT_SQRT_H
+
+#include <math.h>
+#include <float.h>
+
+#define VARIANT2_INTEGER_MATH_SQRT_STEP_SSE2() \
+  do { \
+    const __m128i exp_double_bias = _mm_set_epi64x(0, 1023ULL << 52); \
+    __m128d x = _mm_castsi128_pd(_mm_add_epi64(_mm_cvtsi64_si128(sqrt_input >> 12), exp_double_bias)); \
+    x = _mm_sqrt_sd(_mm_setzero_pd(), x); \
+    sqrt_result = (uint64_t)(_mm_cvtsi128_si64(_mm_sub_epi64(_mm_castpd_si128(x), exp_double_bias))) >> 19; \
+  } while(0)
+
+#define VARIANT2_INTEGER_MATH_SQRT_STEP_FP64() \
+  do { \
+    sqrt_result = sqrt(sqrt_input + 18446744073709551616.0) * 2.0 - 8589934592.0; \
+  } while(0)
+
+#define VARIANT2_INTEGER_MATH_SQRT_STEP_REF() \
+  sqrt_result = integer_square_root_v2(sqrt_input)
+
+// Reference implementation of the integer square root for Cryptonight variant 2
+// Computes integer part of "sqrt(2^64 + n) * 2 - 2^33"
+//
+// In other words, given 64-bit unsigned integer n:
+// 1) Write it as x = 1.NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN000... in binary (1 <= x < 2, all 64 bits of n are used)
+// 2) Calculate sqrt(x) = 1.0RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR... (1 <= sqrt(x) < sqrt(2), so it will always start with "1.0" in binary)
+// 3) Take 32 bits that come after "1.0" and return them as a 32-bit unsigned integer, discard all remaining bits
+//
+// Some sample inputs and outputs:
+//
+// Input            | Output     | Exact value of "sqrt(2^64 + n) * 2 - 2^33"
+// -----------------|------------|-------------------------------------------
+// 0                | 0          | 0
+// 2^32             | 0          | 0.99999999994179233909330885695244...
+// 2^32 + 1         | 1          | 1.0000000001746229827200734316305...
+// 2^50             | 262140     | 262140.00012206565608606978175873...
+// 2^55 + 20963331  | 8384515    | 8384515.9999999997673963974959744...
+// 2^55 + 20963332  | 8384516    | 8384516
+// 2^62 + 26599786  | 1013904242 | 1013904242.9999999999479374853545...
+// 2^62 + 26599787  | 1013904243 | 1013904243.0000000001561875439364...
+// 2^64 - 1         | 3558067407 | 3558067407.9041987696409179931096...
+
+// The reference implementation as it is now uses only unsigned int64 arithmetic, so it can't have undefined behavior
+// It was tested once for all edge cases and confirmed correct
+//
+// !!! Note: if you're modifying this code, uncomment the test in monero/tests/hash/main.cpp !!!
+//
+static inline uint32_t integer_square_root_v2(uint64_t n)
+{
+  uint64_t r = 1ULL << 63;
+
+  for (uint64_t bit = 1ULL << 60; bit; bit >>= 2)
+  {
+    const bool b = (n < r + bit);
+    const uint64_t n_next = n - (r + bit);
+    const uint64_t r_next = r + bit * 2;
+    n = b ? n : n_next;
+    r = b ? r : r_next;
+    r >>= 1;
+  }
+
+  return r * 2 + ((n > r) ? 1 : 0);
+}
+
+/*
+VARIANT2_INTEGER_MATH_SQRT_FIXUP checks that "r" is an integer part of "sqrt(2^64 + sqrt_input) * 2 - 2^33" and adds or subtracts 1 if needed
+It's hard to understand how it works, so here is a full calculation of formulas used in VARIANT2_INTEGER_MATH_SQRT_FIXUP
+
+The following inequalities must hold for r if it's an integer part of "sqrt(2^64 + sqrt_input) * 2 - 2^33":
+1) r <= sqrt(2^64 + sqrt_input) * 2 - 2^33
+2) r + 1 > sqrt(2^64 + sqrt_input) * 2 - 2^33
+
+We need to check them using only unsigned integer arithmetic to avoid rounding errors and undefined behavior
+
+First inequality: r <= sqrt(2^64 + sqrt_input) * 2 - 2^33
+-----------------------------------------------------------------------------------
+r <= sqrt(2^64 + sqrt_input) * 2 - 2^33
+r + 2^33 <= sqrt(2^64 + sqrt_input) * 2
+r/2 + 2^32 <= sqrt(2^64 + sqrt_input)
+(r/2 + 2^32)^2 <= 2^64 + sqrt_input
+
+Rewrite r as r = s * 2 + b (s = trunc(r/2), b is 0 or 1)
+
+((s*2+b)/2 + 2^32)^2 <= 2^64 + sqrt_input
+(s*2+b)^2/4 + 2*2^32*(s*2+b)/2 + 2^64 <= 2^64 + sqrt_input
+(s*2+b)^2/4 + 2*2^32*(s*2+b)/2 <= sqrt_input
+(s*2+b)^2/4 + 2^32*r <= sqrt_input
+(s^2*4+2*s*2*b+b^2)/4 + 2^32*r <= sqrt_input
+s^2+s*b+b^2/4 + 2^32*r <= sqrt_input
+s*(s+b) + b^2/4 + 2^32*r <= sqrt_input
+
+Let r2 = s*(s+b) + r*2^32
+r2 + b^2/4 <= sqrt_input
+
+If this inequality doesn't hold, then we must decrement r: IF "r2 + b^2/4 > sqrt_input" THEN r = r - 1
+
+b can be 0 or 1
+If b is 0 then we need to compare "r2 > sqrt_input"
+If b is 1 then b^2/4 = 0.25, so we need to compare "r2 + 0.25 > sqrt_input"
+Since both r2 and sqrt_input are integers, we can safely replace it with "r2 + 1 > sqrt_input"
+-----------------------------------------------------------------------------------
+Both cases can be merged to a single expression "r2 + b > sqrt_input"
+-----------------------------------------------------------------------------------
+There will be no overflow when calculating "r2 + b", so it's safe to compare with sqrt_input:
+r2 + b = s*(s+b) + r*2^32 + b
+The largest value s, b and r can have is s = 1779033703, b = 1, r = 3558067407 when sqrt_input = 2^64 - 1
+r2 + b <= 1779033703*1779033704 + 3558067407*2^32 + 1 = 18446744068217447385 < 2^64
+
+Second inequality: r + 1 > sqrt(2^64 + sqrt_input) * 2 - 2^33
+-----------------------------------------------------------------------------------
+r + 1 > sqrt(2^64 + sqrt_input) * 2 - 2^33
+r + 1 + 2^33 > sqrt(2^64 + sqrt_input) * 2
+((r+1)/2 + 2^32)^2 > 2^64 + sqrt_input
+
+Rewrite r as r = s * 2 + b (s = trunc(r/2), b is 0 or 1)
+
+((s*2+b+1)/2 + 2^32)^2 > 2^64 + sqrt_input
+(s*2+b+1)^2/4 + 2*(s*2+b+1)/2*2^32 + 2^64 > 2^64 + sqrt_input
+(s*2+b+1)^2/4 + (s*2+b+1)*2^32 > sqrt_input
+(s*2+b+1)^2/4 + (r+1)*2^32 > sqrt_input
+(s*2+(b+1))^2/4 + r*2^32 + 2^32 > sqrt_input
+(s^2*4+2*s*2*(b+1)+(b+1)^2)/4 + r*2^32 + 2^32 > sqrt_input
+s^2+s*(b+1)+(b+1)^2/4 + r*2^32 + 2^32 > sqrt_input
+s*(s+b) + s + (b+1)^2/4 + r*2^32 + 2^32 > sqrt_input
+
+Let r2 = s*(s+b) + r*2^32
+
+r2 + s + (b+1)^2/4 + 2^32 > sqrt_input
+r2 + 2^32 + (b+1)^2/4 > sqrt_input - s
+
+If this inequality doesn't hold, then we must decrement r: IF "r2 + 2^32 + (b+1)^2/4 <= sqrt_input - s" THEN r = r - 1
+b can be 0 or 1
+If b is 0 then we need to compare "r2 + 2^32 + 1/4 <= sqrt_input - s" which is equal to "r2 + 2^32 < sqrt_input - s" because all numbers here are integers
+If b is 1 then (b+1)^2/4 = 1, so we need to compare "r2 + 2^32 + 1 <= sqrt_input - s" which is also equal to "r2 + 2^32 < sqrt_input - s"
+-----------------------------------------------------------------------------------
+Both cases can be merged to a single expression "r2 + 2^32 < sqrt_input - s"
+-----------------------------------------------------------------------------------
+There will be no overflow when calculating "r2 + 2^32":
+r2 + 2^32 = s*(s+b) + r*2^32 + 2^32 = s*(s+b) + (r+1)*2^32
+The largest value s, b and r can have is s = 1779033703, b = 1, r = 3558067407 when sqrt_input = 2^64 - 1
+r2 + b <= 1779033703*1779033704 + 3558067408*2^32 = 18446744072512414680 < 2^64
+
+There will be no integer overflow when calculating "sqrt_input - s", i.e. "sqrt_input >= s" at all times:
+s = trunc(r/2) = trunc(sqrt(2^64 + sqrt_input) - 2^32) < sqrt(2^64 + sqrt_input) - 2^32 + 1
+sqrt_input > sqrt(2^64 + sqrt_input) - 2^32 + 1
+sqrt_input + 2^32 - 1 > sqrt(2^64 + sqrt_input)
+(sqrt_input + 2^32 - 1)^2 > sqrt_input + 2^64
+sqrt_input^2 + 2*sqrt_input*(2^32 - 1) + (2^32-1)^2 > sqrt_input + 2^64
+sqrt_input^2 + sqrt_input*(2^33 - 2) + (2^32-1)^2 > sqrt_input + 2^64
+sqrt_input^2 + sqrt_input*(2^33 - 3) + (2^32-1)^2 > 2^64
+sqrt_input^2 + sqrt_input*(2^33 - 3) + 2^64-2^33+1 > 2^64
+sqrt_input^2 + sqrt_input*(2^33 - 3) - 2^33 + 1 > 0
+This inequality is true if sqrt_input > 1 and it's easy to check that s = 0 if sqrt_input is 0 or 1, so there will be no integer overflow
+*/
+
+#define VARIANT2_INTEGER_MATH_SQRT_FIXUP(r) \
+  do { \
+    const uint64_t s = r >> 1; \
+    const uint64_t b = r & 1; \
+    const uint64_t r2 = (uint64_t)(s) * (s + b) + (r << 32); \
+    r += ((r2 + b > sqrt_input) ? -1 : 0) + ((r2 + (1ULL << 32) < sqrt_input - s) ? 1 : 0); \
+  } while(0)
+
+#endif

cryptonight.c

@@ -14,6 +14,7 @@
 #include "crypto/c_skein.h"
 #include "crypto/int-util.h"
 #include "crypto/hash-ops.h"
+#include "crypto/variant2_int_sqrt.h"
 
 #define MEMORY         (1 << 21) /* 2 MiB */
 #define ITER           (1 << 20)
@@ -23,7 +24,7 @@
 #define INIT_SIZE_BYTE (INIT_SIZE_BLK * AES_BLOCK_SIZE)
 
 #define VARIANT1_1(p) \
-  do if (variant > 0) \
+  do if (variant == 1) \
   { \
     const uint8_t tmp = ((const uint8_t*)(p))[11]; \
     static const uint32_t table = 0x75310; \
@@ -32,18 +33,98 @@
   } while(0)
 
 #define VARIANT1_2(p) \
-   do if (variant > 0) \
+   do if (variant == 1) \
    { \
      ((uint64_t*)p)[1] ^= tweak1_2; \
    } while(0)
 
 #define VARIANT1_INIT() \
-  if (variant > 0 && len < 43) \
+  if (variant == 1 && len < 43) \
   { \
-    fprintf(stderr, "Cryptonight variants need at least 43 bytes of data"); \
+    fprintf(stderr, "Cryptonight variant 1 needs at least 43 bytes of data"); \
     _exit(1); \
   } \
-  const uint64_t tweak1_2 = variant > 0 ? *(const uint64_t*)(((const uint8_t*)input)+35) ^ ctx->state.hs.w[24] : 0
+  const uint64_t tweak1_2 = (variant == 1) ? *(const uint64_t*)(((const uint8_t*)input)+35) ^ ctx->state.hs.w[24] : 0
+
+#define U64(p) ((uint64_t*)(p))
+
+#define VARIANT2_INIT(b, state) \
+  uint64_t division_result; \
+  uint64_t sqrt_result; \
+  do if (variant >= 2) \
+  { \
+    U64(b)[2] = state.hs.w[8] ^ state.hs.w[10]; \
+    U64(b)[3] = state.hs.w[9] ^ state.hs.w[11]; \
+    division_result = state.hs.w[12]; \
+    sqrt_result = state.hs.w[13]; \
+  } while (0)
+
+#define VARIANT2_SHUFFLE_ADD(base_ptr, offset, a, b) \
+  do if (variant >= 2) \
+  { \
+    uint64_t* chunk1 = U64((base_ptr) + ((offset) ^ 0x10)); \
+    uint64_t* chunk2 = U64((base_ptr) + ((offset) ^ 0x20)); \
+    uint64_t* chunk3 = U64((base_ptr) + ((offset) ^ 0x30)); \
+    \
+    const uint64_t chunk1_old[2] = { chunk1[0], chunk1[1] }; \
+    \
+    chunk1[0] = chunk3[0] + U64(b + 16)[0]; \
+    chunk1[1] = chunk3[1] + U64(b + 16)[1]; \
+    \
+    chunk3[0] = chunk2[0] + U64(a)[0]; \
+    chunk3[1] = chunk2[1] + U64(a)[1]; \
+    \
+    chunk2[0] = chunk1_old[0] + U64(b)[0]; \
+    chunk2[1] = chunk1_old[1] + U64(b)[1]; \
+  } while (0)
+
+#define VARIANT2_INTEGER_MATH_DIVISION_STEP(b, ptr) \
+  ((uint64_t*)(b))[0] ^= division_result ^ (sqrt_result << 32); \
+  { \
+    const uint64_t dividend = ((uint64_t*)(ptr))[1]; \
+    const uint32_t divisor = (((uint32_t*)(ptr))[0] + (uint32_t)(sqrt_result << 1)) | 0x80000001UL; \
+    division_result = ((uint32_t)(dividend / divisor)) + \
+                     (((uint64_t)(dividend % divisor)) << 32); \
+  } \
+  const uint64_t sqrt_input = ((uint64_t*)(ptr))[0] + division_result
+
+#if defined(__x86_64__) || (defined(_MSC_VER) && defined(_WIN64))
+#include <emmintrin.h>
+
+#if defined(_MSC_VER) || defined(__MINGW32__)
+#include <intrin.h>
+#else
+#include <wmmintrin.h>
+#endif
+
+#define VARIANT2_INTEGER_MATH(b, ptr) \
+    do if (variant >= 2) \
+    { \
+      VARIANT2_INTEGER_MATH_DIVISION_STEP(b, ptr); \
+      VARIANT2_INTEGER_MATH_SQRT_STEP_SSE2(); \
+      VARIANT2_INTEGER_MATH_SQRT_FIXUP(sqrt_result); \
+    } while (0)
+#else
+#if defined DBL_MANT_DIG && (DBL_MANT_DIG >= 50)
+  // double precision floating point type has enough bits of precision on current platform
+#define VARIANT2_INTEGER_MATH(b, ptr) \
+    do if (variant >= 2) \
+    { \
+      VARIANT2_INTEGER_MATH_DIVISION_STEP(b, ptr); \
+      VARIANT2_INTEGER_MATH_SQRT_STEP_FP64(); \
+      VARIANT2_INTEGER_MATH_SQRT_FIXUP(sqrt_result); \
+    } while (0)
+#else
+  // double precision floating point type is not good enough on current platform
+  // fall back to the reference code (integer only)
+#define VARIANT2_INTEGER_MATH(b, ptr) \
+    do if (variant >= 2) \
+    { \
+      VARIANT2_INTEGER_MATH_DIVISION_STEP(b, ptr); \
+      VARIANT2_INTEGER_MATH_SQRT_STEP_REF(); \
+    } while (0)
+#endif
+#endif
 
 #pragma pack(push, 1)
 union cn_slow_hash_state {
@@ -88,16 +169,6 @@ static void mul(const uint8_t* a, const uint8_t* b, uint8_t* res) {
     ((uint64_t*) res)[1] = mul128(((uint64_t*) a)[0], ((uint64_t*) b)[0], (uint64_t*) res);
 }
 
-static void mul_sum_xor_dst(const uint8_t* a, uint8_t* c, uint8_t* dst) {
-    uint64_t hi, lo = mul128(((uint64_t*) a)[0], ((uint64_t*) dst)[0], &hi) + ((uint64_t*) c)[1];
-    hi += ((uint64_t*) c)[0];
-
-    ((uint64_t*) c)[0] = ((uint64_t*) dst)[0] ^ hi;
-    ((uint64_t*) c)[1] = ((uint64_t*) dst)[1] ^ lo;
-    ((uint64_t*) dst)[0] = hi;
-    ((uint64_t*) dst)[1] = lo;
-}
-
 static void sum_half_blocks(uint8_t* a, const uint8_t* b) {
     uint64_t a0, a1, b0, b1;
 
@@ -141,7 +212,7 @@ struct cryptonight_ctx {
     union cn_slow_hash_state state;
     uint8_t text[INIT_SIZE_BYTE];
     uint8_t a[AES_BLOCK_SIZE];
-    uint8_t b[AES_BLOCK_SIZE];
+    uint8_t b[AES_BLOCK_SIZE * 2];
     uint8_t c[AES_BLOCK_SIZE];
     uint8_t aes_key[AES_KEY_SIZE];
     oaes_ctx* aes_ctx;
@@ -156,6 +227,7 @@ void cryptonight_hash(const char* input, char* output, uint32_t len, int variant
     size_t i, j;
 
     VARIANT1_INIT();
+    VARIANT2_INIT(ctx->b, ctx->state);
 
     oaes_key_import_data(ctx->aes_ctx, ctx->aes_key, AES_KEY_SIZE);
     for (i = 0; i < MEMORY / INIT_SIZE_BYTE; i++) {
@@ -180,14 +252,37 @@ void cryptonight_hash(const char* input, char* output, uint32_t len, int variant
         /* Iteration 1 */
         j = e2i(ctx->a);
         aesb_single_round(&ctx->long_state[j * AES_BLOCK_SIZE], ctx->c, ctx->a);
+        VARIANT2_SHUFFLE_ADD(ctx->long_state, j * AES_BLOCK_SIZE, ctx->a, ctx->b);
         xor_blocks_dst(ctx->c, ctx->b, &ctx->long_state[j * AES_BLOCK_SIZE]);
-	VARIANT1_1((uint8_t*)&ctx->long_state[j * AES_BLOCK_SIZE]);
+        VARIANT1_1((uint8_t*)&ctx->long_state[j * AES_BLOCK_SIZE]);
         /* Iteration 2 */
-        mul_sum_xor_dst(ctx->c, ctx->a,
-                &ctx->long_state[e2i(ctx->c) * AES_BLOCK_SIZE]);
+        j = e2i(ctx->c);
+
+        uint64_t* dst = (uint64_t*)&ctx->long_state[j * AES_BLOCK_SIZE];
+
+        uint64_t t[2];
+        t[0] = dst[0];
+        t[1] = dst[1];
+
+        VARIANT2_INTEGER_MATH(t, ctx->c);
+
+        uint64_t hi;
+        uint64_t lo = mul128(((uint64_t*)ctx->c)[0], t[0], &hi);
+
+        VARIANT2_SHUFFLE_ADD(ctx->long_state, j * AES_BLOCK_SIZE, ctx->a, ctx->b);
+
+        ((uint64_t*)ctx->a)[0] += hi;
+        ((uint64_t*)ctx->a)[1] += lo;
+
+        dst[0] = ((uint64_t*)ctx->a)[0];
+        dst[1] = ((uint64_t*)ctx->a)[1];
+
+        ((uint64_t*)ctx->a)[0] ^= t[0];
+        ((uint64_t*)ctx->a)[1] ^= t[1];
+
+        VARIANT1_2((uint8_t*)&ctx->long_state[j * AES_BLOCK_SIZE]);
+        copy_block(ctx->b + AES_BLOCK_SIZE, ctx->b);
         copy_block(ctx->b, ctx->c);
-	VARIANT1_2((uint8_t*)
-                &ctx->long_state[e2i(ctx->c) * AES_BLOCK_SIZE]);
     }
 
     memcpy(ctx->text, ctx->state.init, INIT_SIZE_BYTE);