revm_precompile/
blake2.rs

Help
1use crate::{Error, Precompile, PrecompileResult, PrecompileWithAddress};
2use revm_primitives::{Bytes, PrecompileOutput};
3
4const F_ROUND: u64 = 1;
5const INPUT_LENGTH: usize = 213;
6
7pub const FUN: PrecompileWithAddress =
8    PrecompileWithAddress(crate::u64_to_address(9), Precompile::Standard(run));
9
10/// reference: <https://eips.ethereum.org/EIPS/eip-152>
11/// input format:
12/// [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0][8 bytes for t_1][1 byte for f]
13pub fn run(input: &Bytes, gas_limit: u64) -> PrecompileResult {
14    let input = &input[..];
15
16    if input.len() != INPUT_LENGTH {
17        return Err(Error::Blake2WrongLength.into());
18    }
19
20    // rounds 4 bytes
21    let rounds = u32::from_be_bytes(input[..4].try_into().unwrap()) as usize;
22    let gas_used = rounds as u64 * F_ROUND;
23    if gas_used > gas_limit {
24        return Err(Error::OutOfGas.into());
25    }
26
27    let f = match input[212] {
28        1 => true,
29        0 => false,
30        _ => return Err(Error::Blake2WrongFinalIndicatorFlag.into()),
31    };
32
33    let mut h = [0u64; 8];
34    let mut m = [0u64; 16];
35
36    for (i, pos) in (4..68).step_by(8).enumerate() {
37        h[i] = u64::from_le_bytes(input[pos..pos + 8].try_into().unwrap());
38    }
39    for (i, pos) in (68..196).step_by(8).enumerate() {
40        m[i] = u64::from_le_bytes(input[pos..pos + 8].try_into().unwrap());
41    }
42    let t = [
43        u64::from_le_bytes(input[196..196 + 8].try_into().unwrap()),
44        u64::from_le_bytes(input[204..204 + 8].try_into().unwrap()),
45    ];
46
47    algo::compress(rounds, &mut h, m, t, f);
48
49    let mut out = [0u8; 64];
50    for (i, h) in (0..64).step_by(8).zip(h.iter()) {
51        out[i..i + 8].copy_from_slice(&h.to_le_bytes());
52    }
53
54    Ok(PrecompileOutput::new(gas_used, out.into()))
55}
56
57pub mod algo {
58    /// SIGMA from spec: <https://datatracker.ietf.org/doc/html/rfc7693#section-2.7>
59    pub const SIGMA: [[usize; 16]; 10] = [
60        [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15],
61        [14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3],
62        [11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4],
63        [7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8],
64        [9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13],
65        [2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9],
66        [12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11],
67        [13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10],
68        [6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5],
69        [10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0],
70    ];
71
72    /// got IV from: <https://en.wikipedia.org/wiki/BLAKE_(hash_function)>
73    pub const IV: [u64; 8] = [
74        0x6a09e667f3bcc908,
75        0xbb67ae8584caa73b,
76        0x3c6ef372fe94f82b,
77        0xa54ff53a5f1d36f1,
78        0x510e527fade682d1,
79        0x9b05688c2b3e6c1f,
80        0x1f83d9abfb41bd6b,
81        0x5be0cd19137e2179,
82    ];
83
84    #[inline]
85    #[allow(clippy::many_single_char_names)]
86    /// G function: <https://tools.ietf.org/html/rfc7693#section-3.1>
87    pub fn g(v: &mut [u64], a: usize, b: usize, c: usize, d: usize, x: u64, y: u64) {
88        v[a] = v[a].wrapping_add(v[b]).wrapping_add(x);
89        v[d] = (v[d] ^ v[a]).rotate_right(32);
90        v[c] = v[c].wrapping_add(v[d]);
91        v[b] = (v[b] ^ v[c]).rotate_right(24);
92        v[a] = v[a].wrapping_add(v[b]).wrapping_add(y);
93        v[d] = (v[d] ^ v[a]).rotate_right(16);
94        v[c] = v[c].wrapping_add(v[d]);
95        v[b] = (v[b] ^ v[c]).rotate_right(63);
96    }
97
98    // Compression function F takes as an argument the state vector "h",
99    // message block vector "m" (last block is padded with zeros to full
100    // block size, if required), 2w-bit offset counter "t", and final block
101    // indicator flag "f".  Local vector v[0..15] is used in processing.  F
102    // returns a new state vector.  The number of rounds, "r", is 12 for
103    // BLAKE2b and 10 for BLAKE2s.  Rounds are numbered from 0 to r - 1.
104    #[allow(clippy::many_single_char_names)]
105    pub fn compress(rounds: usize, h: &mut [u64; 8], m: [u64; 16], t: [u64; 2], f: bool) {
106        let mut v = [0u64; 16];
107        v[..h.len()].copy_from_slice(h); // First half from state.
108        v[h.len()..].copy_from_slice(&IV); // Second half from IV.
109
110        v[12] ^= t[0];
111        v[13] ^= t[1];
112
113        if f {
114            v[14] = !v[14] // Invert all bits if the last-block-flag is set.
115        }
116        for i in 0..rounds {
117            // Message word selection permutation for this round.
118            let s = &SIGMA[i % 10];
119            g(&mut v, 0, 4, 8, 12, m[s[0]], m[s[1]]);
120            g(&mut v, 1, 5, 9, 13, m[s[2]], m[s[3]]);
121            g(&mut v, 2, 6, 10, 14, m[s[4]], m[s[5]]);
122            g(&mut v, 3, 7, 11, 15, m[s[6]], m[s[7]]);
123
124            g(&mut v, 0, 5, 10, 15, m[s[8]], m[s[9]]);
125            g(&mut v, 1, 6, 11, 12, m[s[10]], m[s[11]]);
126            g(&mut v, 2, 7, 8, 13, m[s[12]], m[s[13]]);
127            g(&mut v, 3, 4, 9, 14, m[s[14]], m[s[15]]);
128        }
129
130        for i in 0..8 {
131            h[i] ^= v[i] ^ v[i + 8];
132        }
133    }
134}
revm_precompile/blake2.rs

revm_precompile/
blake2.rs
