revm_precompile/
blake2.rs

1use crate::{PrecompileError, PrecompileOutput, PrecompileResult, PrecompileWithAddress};
2use primitives::Bytes;
3
4const F_ROUND: u64 = 1;
5const INPUT_LENGTH: usize = 213;
6
7pub const FUN: PrecompileWithAddress = PrecompileWithAddress(crate::u64_to_address(9), run);
8
9/// reference: <https://eips.ethereum.org/EIPS/eip-152>
10/// input format:
11/// [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0][8 bytes for t_1][1 byte for f]
12pub fn run(input: &Bytes, gas_limit: u64) -> PrecompileResult {
13    let input = &input[..];
14
15    if input.len() != INPUT_LENGTH {
16        return Err(PrecompileError::Blake2WrongLength);
17    }
18
19    // Rounds 4 bytes
20    let rounds = u32::from_be_bytes(input[..4].try_into().unwrap()) as usize;
21    let gas_used = rounds as u64 * F_ROUND;
22    if gas_used > gas_limit {
23        return Err(PrecompileError::OutOfGas);
24    }
25
26    let f = match input[212] {
27        1 => true,
28        0 => false,
29        _ => return Err(PrecompileError::Blake2WrongFinalIndicatorFlag),
30    };
31
32    let mut h = [0u64; 8];
33    let mut m = [0u64; 16];
34
35    for (i, pos) in (4..68).step_by(8).enumerate() {
36        h[i] = u64::from_le_bytes(input[pos..pos + 8].try_into().unwrap());
37    }
38    for (i, pos) in (68..196).step_by(8).enumerate() {
39        m[i] = u64::from_le_bytes(input[pos..pos + 8].try_into().unwrap());
40    }
41    let t = [
42        u64::from_le_bytes(input[196..196 + 8].try_into().unwrap()),
43        u64::from_le_bytes(input[204..204 + 8].try_into().unwrap()),
44    ];
45
46    algo::compress(rounds, &mut h, m, t, f);
47
48    let mut out = [0u8; 64];
49    for (i, h) in (0..64).step_by(8).zip(h.iter()) {
50        out[i..i + 8].copy_from_slice(&h.to_le_bytes());
51    }
52
53    Ok(PrecompileOutput::new(gas_used, out.into()))
54}
55
56pub mod algo {
57    /// SIGMA from spec: <https://datatracker.ietf.org/doc/html/rfc7693#section-2.7>
58    pub const SIGMA: [[usize; 16]; 10] = [
59        [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15],
60        [14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3],
61        [11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4],
62        [7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8],
63        [9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13],
64        [2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9],
65        [12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11],
66        [13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10],
67        [6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5],
68        [10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0],
69    ];
70
71    /// got IV from: <https://en.wikipedia.org/wiki/BLAKE_(hash_function)>
72    pub const IV: [u64; 8] = [
73        0x6a09e667f3bcc908,
74        0xbb67ae8584caa73b,
75        0x3c6ef372fe94f82b,
76        0xa54ff53a5f1d36f1,
77        0x510e527fade682d1,
78        0x9b05688c2b3e6c1f,
79        0x1f83d9abfb41bd6b,
80        0x5be0cd19137e2179,
81    ];
82
83    #[inline]
84    #[allow(clippy::many_single_char_names)]
85    /// G function: <https://tools.ietf.org/html/rfc7693#section-3.1>
86    pub fn g(v: &mut [u64], a: usize, b: usize, c: usize, d: usize, x: u64, y: u64) {
87        v[a] = v[a].wrapping_add(v[b]).wrapping_add(x);
88        v[d] = (v[d] ^ v[a]).rotate_right(32);
89        v[c] = v[c].wrapping_add(v[d]);
90        v[b] = (v[b] ^ v[c]).rotate_right(24);
91        v[a] = v[a].wrapping_add(v[b]).wrapping_add(y);
92        v[d] = (v[d] ^ v[a]).rotate_right(16);
93        v[c] = v[c].wrapping_add(v[d]);
94        v[b] = (v[b] ^ v[c]).rotate_right(63);
95    }
96
97    // Compression function F takes as an argument the state vector "h",
98    // message block vector "m" (last block is padded with zeros to full
99    // block size, if required), 2w-bit offset counter "t", and final block
100    // indicator flag "f".  Local vector v[0..15] is used in processing.  F
101    // returns a new state vector.  The number of rounds, "r", is 12 for
102    // BLAKE2b and 10 for BLAKE2s.  Rounds are numbered from 0 to r - 1.
103    #[allow(clippy::many_single_char_names)]
104    pub fn compress(rounds: usize, h: &mut [u64; 8], m: [u64; 16], t: [u64; 2], f: bool) {
105        let mut v = [0u64; 16];
106        v[..h.len()].copy_from_slice(h); // First half from state.
107        v[h.len()..].copy_from_slice(&IV); // Second half from IV.
108
109        v[12] ^= t[0];
110        v[13] ^= t[1];
111
112        if f {
113            v[14] = !v[14] // Invert all bits if the last-block-flag is set.
114        }
115        for i in 0..rounds {
116            // Message word selection permutation for this round.
117            let s = &SIGMA[i % 10];
118            g(&mut v, 0, 4, 8, 12, m[s[0]], m[s[1]]);
119            g(&mut v, 1, 5, 9, 13, m[s[2]], m[s[3]]);
120            g(&mut v, 2, 6, 10, 14, m[s[4]], m[s[5]]);
121            g(&mut v, 3, 7, 11, 15, m[s[6]], m[s[7]]);
122
123            g(&mut v, 0, 5, 10, 15, m[s[8]], m[s[9]]);
124            g(&mut v, 1, 6, 11, 12, m[s[10]], m[s[11]]);
125            g(&mut v, 2, 7, 8, 13, m[s[12]], m[s[13]]);
126            g(&mut v, 3, 4, 9, 14, m[s[14]], m[s[15]]);
127        }
128
129        for i in 0..8 {
130            h[i] ^= v[i] ^ v[i + 8];
131        }
132    }
133}