Use 4 AES rounds for program generation (#46)

2024-08-15 00:23:14 +00:00 · 2019-06-01 11:13:30 +02:00 · 2019-06-01 11:13:30 +02:00 · f7c99c5b58
commit f7c99c5b58
parent 25337d3241
5 changed files with 157 additions and 50 deletions
--- a/doc/specs.md
+++ b/doc/specs.md
@ -23,9 +23,11 @@ RandomX is a proof of work (PoW) algorithm which was designed to close the gap b

 **Argon2d** is a tradeoff-resistant variant of [Argon2](https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf), a memory-hard password derivation function.

-**AesGenerator** refers to an AES-based pseudo-random number generator described in chapter 3.2. It's initialized with a 512-bit seed value and is capable of producing more than 10 bytes per clock cycle.
+**AesGenerator1R** refers to an AES-based pseudo-random number generator described in chapter 3.2. It's initialized with a 512-bit seed value and is capable of producing more than 10 bytes per clock cycle.

-**AesHash** refers to an AES-based fingerprinting function described in chapter 3.3. It's capable of processing more than 10 bytes per clock cycle and produces a 512-bit output.
+**AesGenerator4R** is a slower but more secure AES-based pseudo-random number generator described in chapter 3.3. It's initialized with a 512-bit seed value.
+
+**AesHash1R** refers to an AES-based fingerprinting function described in chapter 3.4. It's capable of processing more than 10 bytes per clock cycle and produces a 512-bit output.

 **BlakeGenerator** refers to a custom pseudo-random number generator described in chapter 3.4. It's based on the Blake2b hashing function.

@ -88,15 +90,16 @@ The algorithm consists of the following steps:

 1. The Dataset is initialized using the key value `K` (see chapter 7 for details).
 1. 64-byte seed `S` is calculated as `S = Hash512(H)`.
-1. AesGenerator is initialized with state `S`.
-1. The Scratchpad is filled with `RANDOMX_SCRATCHPAD_L3` random bytes obtained from the AesGenerator.
+1. Let `gen1 = AesGenerator1R(S)`.
+1. The Scratchpad is filled with `RANDOMX_SCRATCHPAD_L3` random bytes using generator `gen1`.
+1. Let `gen4 = AesGenerator4R(gen1.state)` (use the final state of `gen1`).
 1. The value of the VM register `fprc` is set to 0 (default rounding mode - see chapter 4.3). 
-1. The VM is programmed using `128 + 8 * RANDOMX_PROGRAM_SIZE` random bytes from the AesGenerator (see chapter 4.5).
+1. The VM is programmed using `128 + 8 * RANDOMX_PROGRAM_SIZE` random bytes using generator `gen4` (see chapter 4.5).
 1. The VM is executed (see chapter 4.6).
 1. New 64-byte seed is calculated as `S = Hash512(RegisterFile)`.
-1. AesGenerator is reinitialized with seed `S`.
-1. Steps 6-9 are performed a total of `RANDOMX_PROGRAM_COUNT` times. The last iteration skips steps 8 and 9.
-1. Scratchpad fingerprint is calculated as `A = AesHash(Scratchpad)`.
+1. Set `gen4.state = S` (modify the state of the generator).
+1. Steps 7-10 are performed a total of `RANDOMX_PROGRAM_COUNT` times. The last iteration skips steps 9 and 10.
+1. Scratchpad fingerprint is calculated as `A = AesHash1R(Scratchpad)`.
 1. The binary values of the VM registers `a0`-`a3` (4×16 bytes) are set to the value of `A`.
 1. Result is calculated as `R = Hash256(RegisterFile)`.

@ -110,24 +113,21 @@ Two of the custom functions are based on the [Advanced Encryption Standard](http

 **AES decryption round** refers to the application of inverse ShiftRows, inverse SubBytes and inverse MixColumns transformations followed by a XOR with the round key.

-### 3.2 AesGenerator
+### 3.2 AesGenerator1R

-AesGenerator produces a sequence of pseudo-random bytes.
+AesGenerator1R produces a sequence of pseudo-random bytes.

-The internal state of AesGenerator consists of 64 bytes arranged into four columns of 16 bytes each. During each output iteration, every column is decrypted (columns 0, 2) or encrypted (columns 1, 3) with one AES round using the following round keys (one key per column):
+The internal state of the generator consists of 64 bytes arranged into four columns of 16 bytes each. During each output iteration, every column is decrypted (columns 0, 2) or encrypted (columns 1, 3) with one AES round using the following round keys (one key per column):

 ```
-key0 = 2d ec ee 84 d5 f6 4f 45 32 91 32 ca e3 a2 20 df
-key1 = d0 63 7b 01 78 c5 0f f1 7f 38 d0 fe 71 59 eb 1d
-key2 = 52 7a 7d 32 a1 70 2c 2f b4 ce 17 a5 b3 26 c9 df
-key3 = d3 77 8d 5c 5e da 17 3d a9 e0 ec a0 1c f3 1c 34
+key0 = 53 a5 ac 6d 09 66 71 62 2b 55 b5 db 17 49 f4 b4
+key1 = 07 af 7c 6d 0d 71 6a 84 78 d3 25 17 4e dc a1 0d
+key2 = f1 62 12 3f c6 7e 94 9f 4f 79 c0 f4 45 e3 20 3e
+key3 = 35 81 ef 6a 7c 31 ba b1 88 4c 31 16 54 91 16 49
 ```
-These keys were generated by calculating Blake2b hash with 256-bit output of these ASCII strings (first 128 bits of the hash are used):
+These keys were generated as:
 ```
-"RandomX Generator key0"
-"RandomX Generator key1"
-"RandomX Generator key2"
-"RandomX Generator key3"
+key0, key1, key2, key3 = Hash512("RandomX AesGenerator1R keys")
 ```


@ -142,25 +142,61 @@ state0 (16 B)    state1 (16 B)    state2 (16 B)    state3 (16 B)
  state0'          state1'          state2'          state3'
 ```

-### 3.3 AesHash
+### 3.3 AesGenerator4R

-AesHash calculates a 512-bit fingerprint of its input.
-
-AesHash has a 64-byte internal state, which is arranged into four columns of 16 bytes each. The initial state is:
+AesGenerator4R works the same way as AesGenerator1R, except it uses 4 rounds per column:

 ```
-state0 = 00 8e 77 c4 ab f5 7a 88 67 d1 46 11 fd 26 31 8d
-state1 = 4b ef 34 b8 89 af 95 1b 2b 63 da 58 a1 9f fe 19
-state2 = 3a dd 42 77 00 3a 28 ab 44 d7 5a c3 74 cd b2 1b
-state3 = 9a 44 8b e1 cc 97 5d dc 57 3c 59 49 8a a5 30 bb
+state0 (16 B)    state1 (16 B)    state2 (16 B)    state3 (16 B)
+     |                |                |                |
+ AES decrypt      AES encrypt      AES decrypt      AES encrypt
+   (key0)           (key0)           (key0)           (key0)
+     |                |                |                |
+     v                v                v                v
+ AES decrypt      AES encrypt      AES decrypt      AES encrypt
+   (key1)           (key1)           (key1)           (key1)
+     |                |                |                |
+     v                v                v                v
+ AES decrypt      AES encrypt      AES decrypt      AES encrypt
+   (key2)           (key2)           (key2)           (key2)
+     |                |                |                |
+     v                v                v                v
+ AES decrypt      AES encrypt      AES decrypt      AES encrypt
+   (key3)           (key3)           (key3)           (key3)
+     |                |                |                |
+     v                v                v                v
+  state0'          state1'          state2'          state3'
 ```

-The initial state vectors were generated by calculating Blake2b hash with 256-bit output of these ASCII strings (first 128 bits of the hash are used):
+AesGenerator4R uses the following 4 round keys:
+
 ```
-"RandomX Finalizer state0"
-"RandomX Finalizer state1"
-"RandomX Finalizer state2"
-"RandomX Finalizer state3"
+key0 = 5d 46 90 f8 a6 e4 fb 7f b7 82 1f 14 95 9e 35 cf
+key1 = 50 c4 55 6a 8a 27 e8 fe c3 5a 5c bd dc ff 41 67
+key2 = a4 47 4c 11 e4 fd 24 d5 d2 9a 27 a7 ac 4a 32 3d
+key3 = 2a 3a 0c 81 ff ae a9 99 d9 db d3 42 08 db f6 76
+```
+These keys were generated as:
+```
+key0, key1, key2, key3 = Hash512("RandomX AesGenerator4R keys")
+```
+
+### 3.4 AesHash1R
+
+AesHash1R calculates a 512-bit fingerprint of its input.
+
+AesHash1R has a 64-byte internal state, which is arranged into four columns of 16 bytes each. The initial state is:
+
+```
+state0 = 0d 2c b5 92 de 56 a8 9f 47 db 82 cc ad 3a 98 d7
+state1 = 6e 99 8d 33 98 b7 c7 15 5a 12 9e f5 57 80 e7 ac
+state2 = 17 00 77 6a d0 c7 62 ae 6b 50 79 50 e4 7c a0 e8
+state3 = 0c 24 0a 63 8d 82 ad 07 05 00 a1 79 48 49 99 7e
+```
+
+The initial state vectors were generated as:
+```
+state0, state1, state2, state3 = Hash512("RandomX AesHash1R state")
 ```

 The input is processed in 64-byte blocks. Each input block is considered to be a set of four AES round keys `key0`, `key1`, `key2`, `key3`. Each state column is encrypted (columns 0, 2) or decrypted (columns 1, 3) with one AES round using the corresponding round key:
@ -178,14 +214,13 @@ state0 (16 B)    state1 (16 B)    state2 (16 B)    state3 (16 B)
 When all input bytes have been processed, the state is processed with two additional AES rounds with the following extra keys (one key per round, same pair of keys for all columns):

 ```
-xkey0 = 47 f2 cb 11 9c 92 5a 2a 3d 59 c5 e4 83 12 95 83
-xkey1 = 95 6c 81 ce 0b ef 7b 47 23 25 bc ab b2 5b 21 ff
+xkey0 = 89 83 fa f6 9f 94 24 8b bf 56 dc 90 01 02 89 06
+xkey1 = d1 63 b2 61 3c e0 f4 51 c6 43 10 ee 9b f9 18 ed
 ```

-The extra keys were generated by calculating Blake2b hash with 256-bit output of these ASCII strings (first 128 bits of the hash are used):
+The extra keys were generated as:
 ```
-"RandomX Finalizer xkey0"
-"RandomX Finalizer xkey1"
+xkey0, xkey1 = Hash256("RandomX AesHash1R xkeys")
 ```

 ```