Equivalent of mimblewimble/grin#3343

core/pow/cuckaroo.go

@@ -48,6 +48,7 @@ func (c *CuckarooContext) Verify(proof Proof) error {
 	nonces := proof.Nonces
 	uvs := make([]uint64, 2*proof.proofSize())
 	var xor0, xor1 uint64
+	nodeMask := c.params.edgeMask
 
 	for n := 0; n < proof.proofSize(); n++ {
 		if nonces[n] > c.params.edgeMask {
@@ -58,9 +59,9 @@ func (c *CuckarooContext) Verify(proof Proof) error {
 		}
 		// 21 is standard siphash rotation constant
 		edge := SipHashBlock(c.params.siphashKeys, nonces[n], 21, false)
-		uvs[2*n] = edge & c.params.edgeMask
-		uvs[2*n+1] = (edge >> 32) & c.params.edgeMask
+		uvs[2*n] = edge & nodeMask
 		xor0 ^= uvs[2*n]
+		uvs[2*n+1] = (edge >> 32) & nodeMask
 		xor1 ^= uvs[2*n+1]
 	}
 

core/pow/cuckarood.go

@@ -49,7 +49,7 @@ func (c *CuckaroodContext) Verify(proof Proof) error {
 	uvs := make([]uint64, 2*proof.proofSize())
 	ndir := make([]uint64, 2)
 	var xor0, xor1 uint64
-	nodemask := c.params.edgeMask >> 1
+	nodeMask := c.params.edgeMask >> 1
 
 	for n := 0; n < proof.proofSize(); n++ {
 		dir := uint(nonces[n] & 1)
@@ -62,11 +62,12 @@ func (c *CuckaroodContext) Verify(proof Proof) error {
 		if n > 0 && nonces[n] <= nonces[n-1] {
 			return errors.New("edges not ascending")
 		}
+		// cuckarood uses a non-standard siphash rotation constant 25 as anti-ASIC tweak
 		edge := SipHashBlock(c.params.siphashKeys, nonces[n], 25, false)
 		idx := 4*ndir[dir] + 2*uint64(dir)
-		uvs[idx] = edge & nodemask
-		uvs[idx+1] = (edge >> 32) & nodemask
+		uvs[idx] = edge & nodeMask
 		xor0 ^= uvs[idx]
+		uvs[idx+1] = (edge >> 32) & nodeMask
 		xor1 ^= uvs[idx+1]
 		ndir[dir]++
 	}

core/pow/cuckaroom.go

@@ -46,11 +46,11 @@ func (c *CuckaroomContext) Verify(proof Proof) error {
 		return errors.New("wrong cycle length")
 	}
 	nonces := proof.Nonces
-	from := make([]uint32, proof.proofSize())
-	to := make([]uint32, proof.proofSize())
-	var xorFrom uint32 = 0
-	var xorTo uint32 = 0
-	nodemask := c.params.edgeMask >> 1
+	from := make([]uint64, proof.proofSize())
+	to := make([]uint64, proof.proofSize())
+	var xorFrom uint64 = 0
+	var xorTo uint64 = 0
+	nodeMask := c.params.edgeMask >> 1
 
 	for n := 0; n < proof.proofSize(); n++ {
 		if nonces[n] > c.params.edgeMask {
@@ -59,10 +59,11 @@ func (c *CuckaroomContext) Verify(proof Proof) error {
 		if n > 0 && nonces[n] <= nonces[n-1] {
 			return errors.New("edges not ascending")
 		}
+		// 21 is standard siphash rotation constant
 		edge := SipHashBlock(c.params.siphashKeys, nonces[n], 21, true)
-		from[n] = uint32(edge & nodemask)
+		from[n] = edge & nodeMask
 		xorFrom ^= from[n]
-		to[n] = uint32((edge >> 32) & nodemask)
+		to[n] = (edge >> 32) & nodeMask
 		xorTo ^= to[n]
 	}
 	if xorFrom != xorTo {

core/pow/cuckarooz.go

@@ -48,6 +48,7 @@ func (c *CuckaroozContext) Verify(proof Proof) error {
 	nonces := proof.Nonces
 	uvs := make([]uint64, 2*proof.proofSize())
 	var xoruv uint64 = 0
+	nodeMask := c.params.edgeMask<<1 | 1
 
 	for n := 0; n < proof.proofSize(); n++ {
 		if nonces[n] > c.params.edgeMask {
@@ -58,8 +59,8 @@ func (c *CuckaroozContext) Verify(proof Proof) error {
 		}
 		// 21 is standard siphash rotation constant
 		edge := SipHashBlock(c.params.siphashKeys, nonces[n], 21, true)
-		uvs[2*n] = edge & c.params.edgeMask
-		uvs[2*n+1] = edge >> 32 & c.params.edgeMask
+		uvs[2*n] = edge & nodeMask
+		uvs[2*n+1] = edge >> 32 & nodeMask
 		xoruv ^= uvs[2*n] ^ uvs[2*n+1]
 	}
 	if xoruv != 0 {