Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The FNV hash functions are used incorrectly #49

Open
chfast opened this issue Jul 4, 2019 · 3 comments
Open

The FNV hash functions are used incorrectly #49

chfast opened this issue Jul 4, 2019 · 3 comments

Comments

@chfast
Copy link

chfast commented Jul 4, 2019

In the original design, each byte of input is treated with a round of the FNV hashing.
https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function

In Ethash input data is hashed in 32-bit chunks following the FNV-1 formula for single round.
This is not changed in ProgPoW except for using FNV-1a formula.

This is "more correct" implementation: https://godbolt.org/z/tO3Lqt.

@AndreaLanfranchi
Copy link
Contributor

Good finding.
The same mis-implementation is present in ethash though.

@chfast
Copy link
Author

chfast commented Jul 4, 2019

The same mis-implementation is present in ethash though.

Yes, I clarified the description.

I'm not a cryptography expert to assess if that's worth fixing. Maybe that would save us from the mysterious DAG compression attack.

@AndreaLanfranchi
Copy link
Contributor

I see in ethash the mis-implementation has been deliberately chosen
https://github.com/ethereum/ethash/blob/master/src/libethash/fnv.h#L30-L39

DAG access in PP is quite different from the one in ethash.
The latter computes dag offset on one round fnv over mix only.
In PP instead mix is filled by kiss99 where each of the four words is FNV-1a'ed independentely

DEV_INLINE void fill_mix(const uint64_t seed, const uint32_t lane_id, uint32_t* mix)
{
    // Use FNV to expand the per-warp seed to per-lane
    // Use KISS to expand the per-lane seed to fill mix
    uint32_t fnv_hash = 0x811c9dc5;
    kiss99_t st;
    st.z = fnv1a(fnv_hash, seed);
    st.w = fnv1a(fnv_hash, seed >> 32);
    st.jsr = fnv1a(fnv_hash, lane_id);
    st.jcong = fnv1a(fnv_hash, lane_id);
#pragma unroll
    for (int i = 0; i < PROGPOW_REGS; i++)
        mix[i] = kiss99(st);
}

Not a cryptographer either but quite different paths.

@EtherCoreAdmin EtherCoreAdmin mentioned this issue Mar 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants