starwels
/
starwels
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9614 Commits
3 Branches
Tree: eece63fa72
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'eece63fa72'
${ noResults }
starwels/src/consensus/merkle.cpp

merkle.cpp 7.0KB
Normal View History Raw

Add merkle.{h,cpp}, generic merkle root/branch algorithm
5 years ago
Switch blocks to a constant-space Merkle root/branch algorithm. This switches the Merkle tree logic for blocks to one that runs in constant (small) space. The old code is moved to tests, and a new test is added that for various combinations of block sizes, transaction positions to compute a branch for, and mutations: * Verifies that the old code and new code agree for the Merkle root. * Verifies that the old code and new code agree for the Merkle branch. * Verifies that the computed Merkle branch is valid. * Verifies that mutations don't change the Merkle root. * Verifies that mutations are correctly detected.
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. #include "merkle.h"

  2. #include "hash.h"

  3. #include "utilstrencodings.h"

  4. 

  5. /*     WARNING! If you're reading this because you're learning about crypto

  6.        and/or designing a new system that will use merkle trees, keep in mind

  7.        that the following merkle tree algorithm has a serious flaw related to

  8.        duplicate txids, resulting in a vulnerability (CVE-2012-2459).

  9. 

  10.        The reason is that if the number of hashes in the list at a given time

  11.        is odd, the last one is duplicated before computing the next level (which

  12.        is unusual in Merkle trees). This results in certain sequences of

  13.        transactions leading to the same merkle root. For example, these two

  14.        trees:

  15. 

  16.                     A               A

  17.                   /  \            /   \

  18.                 B     C         B       C

  19.                / \    |        / \     / \

  20.               D   E   F       D   E   F   F

  21.              / \ / \ / \     / \ / \ / \ / \

  22.              1 2 3 4 5 6     1 2 3 4 5 6 5 6

  23. 

  24.        for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and

  25.        6 are repeated) result in the same root hash A (because the hash of both

  26.        of (F) and (F,F) is C).

  27. 

  28.        The vulnerability results from being able to send a block with such a

  29.        transaction list, with the same merkle root, and the same block hash as

  30.        the original without duplication, resulting in failed validation. If the

  31.        receiving node proceeds to mark that block as permanently invalid

  32.        however, it will fail to accept further unmodified (and thus potentially

  33.        valid) versions of the same block. We defend against this by detecting

  34.        the case where we would hash two identical hashes at the end of the list

  35.        together, and treating that identically to the block having an invalid

  36.        merkle root. Assuming no double-SHA256 collisions, this will detect all

  37.        known ways of changing the transactions without affecting the merkle

  38.        root.

  39. */

  40. 

  41. /* This implements a constant-space merkle root/path calculator, limited to 2^32 leaves. */

  42. static void MerkleComputation(const std::vector<uint256>& leaves, uint256* proot, bool* pmutated, uint32_t branchpos, std::vector<uint256>* pbranch) {

  43.     if (pbranch) pbranch->clear();

  44.     if (leaves.size() == 0) {

  45.         if (pmutated) *pmutated = false;

  46.         if (proot) *proot = uint256();

  47.         return;

  48.     }

  49.     bool mutated = false;

  50.     // count is the number of leaves processed so far.

  51.     uint32_t count = 0;

  52.     // inner is an array of eagerly computed subtree hashes, indexed by tree

  53.     // level (0 being the leaves).

  54.     // For example, when count is 25 (11001 in binary), inner[4] is the hash of

  55.     // the first 16 leaves, inner[3] of the next 8 leaves, and inner[0] equal to

  56.     // the last leaf. The other inner entries are undefined.

  57.     uint256 inner[32];

  58.     // Which position in inner is a hash that depends on the matching leaf.

  59.     int matchlevel = -1;

  60.     // First process all leaves into 'inner' values.

  61.     while (count < leaves.size()) {

  62.         uint256 h = leaves[count];

  63.         bool matchh = count == branchpos;

  64.         count++;

  65.         int level;

  66.         // For each of the lower bits in count that are 0, do 1 step. Each

  67.         // corresponds to an inner value that existed before processing the

  68.         // current leaf, and each needs a hash to combine it.

  69.         for (level = 0; !(count & (((uint32_t)1) << level)); level++) {

  70.             if (pbranch) {

  71.                 if (matchh) {

  72.                     pbranch->push_back(inner[level]);

  73.                 } else if (matchlevel == level) {

  74.                     pbranch->push_back(h);

  75.                     matchh = true;

  76.                 }

  77.             }

  78.             mutated |= (inner[level] == h);

  79.             CHash256().Write(inner[level].begin(), 32).Write(h.begin(), 32).Finalize(h.begin());

  80.         }

  81.         // Store the resulting hash at inner position level.

  82.         inner[level] = h;

  83.         if (matchh) {

  84.             matchlevel = level;

  85.         }

  86.     }

  87.     // Do a final 'sweep' over the rightmost branch of the tree to process

  88.     // odd levels, and reduce everything to a single top value.

  89.     // Level is the level (counted from the bottom) up to which we've sweeped.

  90.     int level = 0;

  91.     // As long as bit number level in count is zero, skip it. It means there

  92.     // is nothing left at this level.

  93.     while (!(count & (((uint32_t)1) << level))) {

  94.         level++;

  95.     }

  96.     uint256 h = inner[level];

  97.     bool matchh = matchlevel == level;

  98.     while (count != (((uint32_t)1) << level)) {

  99.         // If we reach this point, h is an inner value that is not the top.

  100.         // We combine it with itself (Bitcoin's special rule for odd levels in

  101.         // the tree) to produce a higher level one.

  102.         if (pbranch && matchh) {

  103.             pbranch->push_back(h);

  104.         }

  105.         CHash256().Write(h.begin(), 32).Write(h.begin(), 32).Finalize(h.begin());

  106.         // Increment count to the value it would have if two entries at this

  107.         // level had existed.

  108.         count += (((uint32_t)1) << level);

  109.         level++;

  110.         // And propagate the result upwards accordingly.

  111.         while (!(count & (((uint32_t)1) << level))) {

  112.             if (pbranch) {

  113.                 if (matchh) {

  114.                     pbranch->push_back(inner[level]);

  115.                 } else if (matchlevel == level) {

  116.                     pbranch->push_back(h);

  117.                     matchh = true;

  118.                 }

  119.             }

  120.             CHash256().Write(inner[level].begin(), 32).Write(h.begin(), 32).Finalize(h.begin());

  121.             level++;

  122.         }

  123.     }

  124.     // Return result.

  125.     if (pmutated) *pmutated = mutated;

  126.     if (proot) *proot = h;

  127. }

  128. 

  129. uint256 ComputeMerkleRoot(const std::vector<uint256>& leaves, bool* mutated) {

  130.     uint256 hash;

  131.     MerkleComputation(leaves, &hash, mutated, -1, NULL);

  132.     return hash;

  133. }

  134. 

  135. std::vector<uint256> ComputeMerkleBranch(const std::vector<uint256>& leaves, uint32_t position) {

  136.     std::vector<uint256> ret;

  137.     MerkleComputation(leaves, NULL, NULL, position, &ret);

  138.     return ret;

  139. }

  140. 

  141. uint256 ComputeMerkleRootFromBranch(const uint256& leaf, const std::vector<uint256>& vMerkleBranch, uint32_t nIndex) {

  142.     uint256 hash = leaf;

  143.     for (std::vector<uint256>::const_iterator it = vMerkleBranch.begin(); it != vMerkleBranch.end(); ++it) {

  144.         if (nIndex & 1) {

  145.             hash = Hash(BEGIN(*it), END(*it), BEGIN(hash), END(hash));

  146.         } else {

  147.             hash = Hash(BEGIN(hash), END(hash), BEGIN(*it), END(*it));

  148.         }

  149.         nIndex >>= 1;

  150.     }

  151.     return hash;

  152. }

  153. 

  154. uint256 BlockMerkleRoot(const CBlock& block, bool* mutated)

  155. {

  156.     std::vector<uint256> leaves;

  157.     leaves.resize(block.vtx.size());

  158.     for (size_t s = 0; s < block.vtx.size(); s++) {

  159.         leaves[s] = block.vtx[s].GetHash();

  160.     }

  161.     return ComputeMerkleRoot(leaves, mutated);

  162. }

  163. 

  164. std::vector<uint256> BlockMerkleBranch(const CBlock& block, uint32_t position)

  165. {

  166.     std::vector<uint256> leaves;

  167.     leaves.resize(block.vtx.size());

  168.     for (size_t s = 0; s < block.vtx.size(); s++) {

  169.         leaves[s] = block.vtx[s].GetHash();

  170.     }

  171.     return ComputeMerkleBranch(leaves, position);

  172. }