core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09

The precompile at 0x09 wraps the BLAKE2b F compression function:
https://tools.ietf.org/html/rfc7693#section-3.2

The precompile requires 6 inputs tightly encoded, taking exactly 213
bytes, as explained below.

- `rounds` - the number of rounds - 32-bit unsigned big-endian word
- `h` - the state vector - 8 unsigned 64-bit little-endian words
- `m` - the message block vector - 16 unsigned 64-bit little-endian words
- `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words
- `f` - the final block indicator flag - 8-bit word

[4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0]
[8 bytes for t_1][1 byte for f]

The boolean `f` parameter is considered as `true` if set to `1`.
The boolean `f` parameter is considered as `false` if set to `0`.
All other values yield an invalid encoding of `f` error.

The precompile should compute the F function as specified in the RFC
(https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated
state vector `h` with unchanged encoding (little-endian).

See EIP-152 for details.

2 files changed, 290 insertions, 0 deletions

diff --git a/crypto/blake2b/f.go b/crypto/blake2b/f.go
new file mode 100644
index 000000000..63abd6d97
--- /dev/null
+++ b/crypto/blake2b/f.go
@@ -0,0 +1,181 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Modified by The Keep Network Authors to adjust
+// to EIP-152 precompile format.
+
+package blake2b
+
+import (
+	"math/bits"
+)
+
+// IV is an initialization vector for BLAKE2b
+var IV = [8]uint64{
+	0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
+	0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179,
+}
+
+// the precomputed values for BLAKE2b
+// there are 10 16-byte arrays - one for each round
+// the entries are calculated from the sigma constants.
+var precomputed = [10][16]byte{
+	{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15},
+	{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3},
+	{11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4},
+	{7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8},
+	{9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13},
+	{2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9},
+	{12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11},
+	{13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10},
+	{6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5},
+	{10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0},
+}
+
+// F is a compression function for BLAKE2b. It takes as an argument the state
+// vector `h`, message block vector `m`, offset counter `t`, final
+// block indicator flag `f`, and number of rounds `rounds`. The state vector
+// provided as the first parameter is modified by the function.
+func F(h *[8]uint64, m [16]uint64, c [2]uint64, f bool, rounds uint32) {
+	c0, c1 := c[0], c[1]
+
+	v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]
+	v8, v9, v10, v11, v12, v13, v14, v15 := IV[0], IV[1], IV[2], IV[3], IV[4], IV[5], IV[6], IV[7]
+	v12 ^= c0
+	v13 ^= c1
+
+	if f {
+		v14 ^= 0xffffffffffffffff
+	}
+
+	for j := uint32(0); j < rounds; j++ {
+		s := &(precomputed[j%10])
+
+		v0 += m[s[0]]
+		v0 += v4
+		v12 ^= v0
+		v12 = bits.RotateLeft64(v12, -32)
+		v8 += v12
+		v4 ^= v8
+		v4 = bits.RotateLeft64(v4, -24)
+		v1 += m[s[1]]
+		v1 += v5
+		v13 ^= v1
+		v13 = bits.RotateLeft64(v13, -32)
+		v9 += v13
+		v5 ^= v9
+		v5 = bits.RotateLeft64(v5, -24)
+		v2 += m[s[2]]
+		v2 += v6
+		v14 ^= v2
+		v14 = bits.RotateLeft64(v14, -32)
+		v10 += v14
+		v6 ^= v10
+		v6 = bits.RotateLeft64(v6, -24)
+		v3 += m[s[3]]
+		v3 += v7
+		v15 ^= v3
+		v15 = bits.RotateLeft64(v15, -32)
+		v11 += v15
+		v7 ^= v11
+		v7 = bits.RotateLeft64(v7, -24)
+
+		v0 += m[s[4]]
+		v0 += v4
+		v12 ^= v0
+		v12 = bits.RotateLeft64(v12, -16)
+		v8 += v12
+		v4 ^= v8
+		v4 = bits.RotateLeft64(v4, -63)
+		v1 += m[s[5]]
+		v1 += v5
+		v13 ^= v1
+		v13 = bits.RotateLeft64(v13, -16)
+		v9 += v13
+		v5 ^= v9
+		v5 = bits.RotateLeft64(v5, -63)
+		v2 += m[s[6]]
+		v2 += v6
+		v14 ^= v2
+		v14 = bits.RotateLeft64(v14, -16)
+		v10 += v14
+		v6 ^= v10
+		v6 = bits.RotateLeft64(v6, -63)
+		v3 += m[s[7]]
+		v3 += v7
+		v15 ^= v3
+		v15 = bits.RotateLeft64(v15, -16)
+		v11 += v15
+		v7 ^= v11
+		v7 = bits.RotateLeft64(v7, -63)
+
+		v0 += m[s[8]]
+		v0 += v5
+		v15 ^= v0
+		v15 = bits.RotateLeft64(v15, -32)
+		v10 += v15
+		v5 ^= v10
+		v5 = bits.RotateLeft64(v5, -24)
+		v1 += m[s[9]]
+		v1 += v6
+		v12 ^= v1
+		v12 = bits.RotateLeft64(v12, -32)
+		v11 += v12
+		v6 ^= v11
+		v6 = bits.RotateLeft64(v6, -24)
+		v2 += m[s[10]]
+		v2 += v7
+		v13 ^= v2
+		v13 = bits.RotateLeft64(v13, -32)
+		v8 += v13
+		v7 ^= v8
+		v7 = bits.RotateLeft64(v7, -24)
+		v3 += m[s[11]]
+		v3 += v4
+		v14 ^= v3
+		v14 = bits.RotateLeft64(v14, -32)
+		v9 += v14
+		v4 ^= v9
+		v4 = bits.RotateLeft64(v4, -24)
+
+		v0 += m[s[12]]
+		v0 += v5
+		v15 ^= v0
+		v15 = bits.RotateLeft64(v15, -16)
+		v10 += v15
+		v5 ^= v10
+		v5 = bits.RotateLeft64(v5, -63)
+		v1 += m[s[13]]
+		v1 += v6
+		v12 ^= v1
+		v12 = bits.RotateLeft64(v12, -16)
+		v11 += v12
+		v6 ^= v11
+		v6 = bits.RotateLeft64(v6, -63)
+		v2 += m[s[14]]
+		v2 += v7
+		v13 ^= v2
+		v13 = bits.RotateLeft64(v13, -16)
+		v8 += v13
+		v7 ^= v8
+		v7 = bits.RotateLeft64(v7, -63)
+		v3 += m[s[15]]
+		v3 += v4
+		v14 ^= v3
+		v14 = bits.RotateLeft64(v14, -16)
+		v9 += v14
+		v4 ^= v9
+		v4 = bits.RotateLeft64(v4, -63)
+
+	}
+
+	h[0] ^= v0 ^ v8
+	h[1] ^= v1 ^ v9
+	h[2] ^= v2 ^ v10
+	h[3] ^= v3 ^ v11
+	h[4] ^= v4 ^ v12
+	h[5] ^= v5 ^ v13
+	h[6] ^= v6 ^ v14
+	h[7] ^= v7 ^ v15
+}
diff --git a/crypto/blake2b/f_test.go b/crypto/blake2b/f_test.go
new file mode 100644
index 000000000..5141d61cb
--- /dev/null
+++ b/crypto/blake2b/f_test.go
@@ -0,0 +1,109 @@
+package blake2b
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"fmt"
+	"reflect"
+	"testing"
+)
+
+func TestF(t *testing.T) {
+	for i, test := range testVectorsF {
+		t.Run(fmt.Sprintf("test vector %v", i), func(t *testing.T) {
+			//toEthereumTestCase(test)
+
+			h := test.hIn
+
+			F(&h, test.m, test.c, test.f, test.rounds)
+
+			if !reflect.DeepEqual(test.hOut, h) {
+				t.Errorf("Unexpected result\nExpected: [%v]\nActual:   [%v]\n", test.hOut, h)
+			}
+		})
+	}
+}
+
+type testVector struct {
+	hIn    [8]uint64
+	m      [16]uint64
+	c      [2]uint64
+	f      bool
+	rounds uint32
+	hOut   [8]uint64
+}
+
+// https://tools.ietf.org/html/rfc7693#appendix-A
+var testVectorsF = []testVector{
+	{
+		hIn: [8]uint64{
+			0x6a09e667f2bdc948, 0xbb67ae8584caa73b,
+			0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
+			0x510e527fade682d1, 0x9b05688c2b3e6c1f,
+			0x1f83d9abfb41bd6b, 0x5be0cd19137e2179,
+		},
+		m: [16]uint64{
+			0x0000000000636261, 0x0000000000000000, 0x0000000000000000,
+			0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+			0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+			0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+			0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+			0x0000000000000000,
+		},
+		c:      [2]uint64{3, 0},
+		f:      true,
+		rounds: 12,
+		hOut: [8]uint64{
+			0x0D4D1C983FA580BA, 0xE9F6129FB697276A, 0xB7C45A68142F214C,
+			0xD1A2FFDB6FBB124B, 0x2D79AB2A39C5877D, 0x95CC3345DED552C2,
+			0x5A92F1DBA88AD318, 0x239900D4ED8623B9,
+		},
+	},
+}
+
+// toEthereumTestCase transforms F test vector into test vector format used by
+// go-ethereum precompiles
+func toEthereumTestCase(vector testVector) {
+	var memory [213]byte
+
+	// 4 bytes for rounds
+	binary.BigEndian.PutUint32(memory[0:4], uint32(vector.rounds))
+
+	// for h (512 bits = 64 bytes)
+	for i := 0; i < 8; i++ {
+		offset := 4 + i*8
+		binary.LittleEndian.PutUint64(memory[offset:offset+8], vector.hIn[i])
+
+	}
+
+	// for m (1024 bits = 128 bytes)
+	for i := 0; i < 16; i++ {
+		offset := 68 + i*8
+		binary.LittleEndian.PutUint64(memory[offset:offset+8], vector.m[i])
+	}
+
+	// 8 bytes for t[0], 8 bytes for t[1]
+	binary.LittleEndian.PutUint64(memory[196:204], vector.c[0])
+	binary.LittleEndian.PutUint64(memory[204:212], vector.c[1])
+
+	// 1 byte for f
+	if vector.f {
+		memory[212] = 1
+	}
+
+	fmt.Printf("input: \"%v\"\n", hex.EncodeToString(memory[:]))
+
+	var result [64]byte
+
+	binary.LittleEndian.PutUint64(result[0:8], vector.hOut[0])
+	binary.LittleEndian.PutUint64(result[8:16], vector.hOut[1])
+	binary.LittleEndian.PutUint64(result[16:24], vector.hOut[2])
+	binary.LittleEndian.PutUint64(result[24:32], vector.hOut[3])
+
+	binary.LittleEndian.PutUint64(result[32:40], vector.hOut[4])
+	binary.LittleEndian.PutUint64(result[40:48], vector.hOut[5])
+	binary.LittleEndian.PutUint64(result[48:56], vector.hOut[6])
+	binary.LittleEndian.PutUint64(result[56:64], vector.hOut[7])
+
+	fmt.Printf("expected: \"%v\"\n", hex.EncodeToString(result[:]))
+}