1 // Copyright (c) 2012-2013 The PPCoin developers
2 // Copyright (c) 2013-2015 The Novacoin developers
3 // Distributed under the MIT/X11 software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 // Distributed under the MIT/X11 software license, see the accompanying
6 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
8 #include <boost/assign/list_of.hpp>
13 extern unsigned int nStakeMaxAge;
14 extern unsigned int nStakeTargetSpacing;
19 // Protocol switch time for fixed kernel modifier interval
20 unsigned int nModifierSwitchTime = 1413763200; // Mon, 20 Oct 2014 00:00:00 GMT
21 unsigned int nModifierTestSwitchTime = 1397520000; // Tue, 15 Apr 2014 00:00:00 GMT
23 // Note: user must upgrade before the protocol switch deadline, otherwise it's required to
24 // re-download the blockchain. The timestamp of upgrade is recorded in the blockchain
26 unsigned int nModifierUpgradeTime = 0;
28 typedef std::map<int, unsigned int> MapModifierCheckpoints;
30 // Hard checkpoints of stake modifiers to ensure they are deterministic
31 static std::map<int, unsigned int> mapStakeModifierCheckpoints =
32 boost::assign::map_list_of
34 ( 12661, 0x5d84115du )
35 (143990, 0x9c592c78u )
36 (149000, 0x48f2bdc4u )
37 (160000, 0x789df0f0u )
38 (200000, 0x01ec1503u )
41 // Hard checkpoints of stake modifiers to ensure they are deterministic (testNet)
42 static std::map<int, unsigned int> mapStakeModifierCheckpointsTestNet =
43 boost::assign::map_list_of
47 // Pregenerated entropy bits table (from genesis to #9689)
49 // Bits are packed into array of 256 bit integers:
51 // * array index calculated as nHeight / 256
52 // * position of bit is calculated as nHeight & 0xFF.
54 const uint256 entropyStore[] = {
55 uint256("0x4555b4dcc1d690ddd9b810c90c66e82b18bf4f43cc887246c418383ec120a5ab"),
56 uint256("0xaa6d1198412fa77608addf6549c9198a22155e8afd7a9ded6179f6b7cfc66b0c"),
57 uint256("0x9442fabfa4116fb14a9769c2eea003845a1f5c3a0260f36b497d68f3a3cd4078"),
58 uint256("0x0e769042a9a98e42388195d699574b822d06515f7053ad884c53d7ee059f05b1"),
59 uint256("0x7005aac20baf70251aebfe3f1b95987d83ef1e3e6963de8fed601d4dd07bf7cf"),
60 uint256("0x58952c5c3de188f2e33c38d3f53d7bf44f9bc545a4289d266696273fa821be66"),
61 uint256("0x50b6c2ed780c08aaec3f7665b1b6004206243e3866456fc910b83b52d07eeb63"),
62 uint256("0x563841eefca85ba3384986c58100408ae3f1ba2ac727e1ac910ce154a06c702f"),
63 uint256("0x79275b03938b3e27a9b01a7f7953c6c487c58355f5d4169accfbb800213ffd13"),
64 uint256("0xd783f2538b3ed18f135af90adc687c5646d93aeaeaabc6667be94f7aa0a2d366"),
65 uint256("0xb441d0c175c40c8e88b09d88ea008af79cbed2d28219427d2e72fda682974db8"),
66 uint256("0x3204c43bd41f2e19628af3b0c9aca3db15bca4c8705d51056e7b17a319c04715"),
67 uint256("0x7e80e6ab7857d8f2f261a0a49c783bd800b365b8c9b85cc0e13f73904b0dcaa9"),
68 uint256("0xefaaee60ed82d2ad145c0e347941fdb131eb8fd289a45eef07121a93f283c5f1"),
69 uint256("0x3efc86e4334da332c1fd4c12513c40cff689f3efdc7f9913230822adacdda4f9"),
70 uint256("0xf0d6b8f38599a017fa35d1fbbf9ef51eca5ebc5b286aadba40c4c3e1d9bace0c"),
71 uint256("0x286a67f27323486036a0a92d35382fc8963c0c00bad331723318b4b9fdb2b56e"),
72 uint256("0xecbfaaa6567c54f08c4d5bd0118a2d7b58740f42cbfc73aa1536c1f5f76de87c"),
73 uint256("0xf9a4de1c5c46520de5aaf10d3796cf0e27ddce98b3398357f5726a949664e308"),
74 uint256("0xd75e6c4dc4be08401e3478d2467d9ab96a62af4f255c04a82c41af0de0a487bb"),
75 uint256("0x1a82c3bc6ad6047294c16571b5e2b7316c97bf8813e7da15798b9820d67e39f2"),
76 uint256("0xb49be0080de564e01829ded7e7971979565a741c5975dc9978dcc020192d396c"),
77 uint256("0x0d8eed113be67663b5a15a0625a9b49792b5ea59c005c4f405914877acab7000"),
78 uint256("0x8f9d46e2bc05a218ffa942965b747056197d393b097085523640cd59e07fe7c7"),
79 uint256("0x7a63ab40bc7f40ac2ebe9ede438d97b45fa6ed6f8419016da8d5f7a670111dda"),
80 uint256("0x63fbcc080448c43d6cf915c958314feff7a95a52ba43a68c05fc281d3a522d25"),
81 uint256("0xf834cf824c326d3ea861ea1e85dc3289265e37045981e28208e7344a7f8081d7"),
82 uint256("0xb4edc22ec98cc49b2f5af5bae3f52f5e6058280f74f2c432c2dd89ae49acceb8"),
83 uint256("0x0fe596037dcf81bf5c64f39755261c404ed088af5c8c31dd7549b6657ee92365"),
84 uint256("0xbbad51a0aeba254b01d18c328de9e932b9b859b61e622c325d64e2211b5e413d"),
85 uint256("0xabf0194cc787be938bc51c7fdf1cae4ec79e65ebab8fa8b8f40541c44ef384b0"),
86 uint256("0x83bc12d6fdbd3e854cb91c4ca7dfba3c38e8714121af88c8a8abdb33e5002438"),
87 uint256("0x71a2513026cabaedcbe55aeb6dc8049e5b763a3f54f10c33dd333624f764b38c"),
88 uint256("0xee6725632ff5c025dff6a18cd059875dcae20f399b03bccba13d9d5fcf6d9d9a"),
89 uint256("0xa168a2741d1e7e50cc74b79f695c25ffd3576e6bd61353c2a20e569fd63b2dac"),
90 uint256("0x6e462d2a87bfde9398b6747f94a8ed6a01e4d96c5b4372df5c910c106c48bd13"),
91 uint256("0x8eeb696181957c4b22434028990f49cb30006827c73860e77e2eecf5c38be99d"),
92 uint256("0x3188aaa65877b166f05cdc48f55b1f77a7d6fb221c395596d990ae5647e9ba96")
95 // Whether the given block is subject to new modifier protocol
96 bool IsFixedModifierInterval(unsigned int nTimeBlock)
98 return (nTimeBlock >= (fTestNet? nModifierTestSwitchTime : nModifierSwitchTime));
101 // Get the last stake modifier and its generation time from a given block
102 static bool GetLastStakeModifier(const CBlockIndex* pindex, uint64_t& nStakeModifier, int64_t& nModifierTime)
105 return error("GetLastStakeModifier: null pindex");
106 while (pindex && pindex->pprev && !pindex->GeneratedStakeModifier())
107 pindex = pindex->pprev;
108 if (!pindex->GeneratedStakeModifier())
109 return error("GetLastStakeModifier: no generation at genesis block");
110 nStakeModifier = pindex->nStakeModifier;
111 nModifierTime = pindex->GetBlockTime();
115 // Get selection interval section (in seconds)
116 static int64_t GetStakeModifierSelectionIntervalSection(int nSection)
118 assert (nSection >= 0 && nSection < 64);
119 return (nModifierInterval * 63 / (63 + ((63 - nSection) * (MODIFIER_INTERVAL_RATIO - 1))));
122 // Get stake modifier selection interval (in seconds)
123 static int64_t GetStakeModifierSelectionInterval()
125 int64_t nSelectionInterval = 0;
126 for (int nSection=0; nSection<64; nSection++)
127 nSelectionInterval += GetStakeModifierSelectionIntervalSection(nSection);
128 return nSelectionInterval;
131 // select a block from the candidate blocks in vSortedByTimestamp, excluding
132 // already selected blocks in vSelectedBlocks, and with timestamp up to
133 // nSelectionIntervalStop.
134 static bool SelectBlockFromCandidates(vector<pair<int64_t, uint256> >& vSortedByTimestamp, map<uint256, const CBlockIndex*>& mapSelectedBlocks,
135 int64_t nSelectionIntervalStop, uint64_t nStakeModifierPrev, const CBlockIndex** pindexSelected)
137 bool fSelected = false;
138 uint256 hashBest = 0;
139 *pindexSelected = (const CBlockIndex*) 0;
140 BOOST_FOREACH(const PAIRTYPE(int64_t, uint256)& item, vSortedByTimestamp)
142 if (!mapBlockIndex.count(item.second))
143 return error("SelectBlockFromCandidates: failed to find block index for candidate block %s", item.second.ToString().c_str());
144 const CBlockIndex* pindex = mapBlockIndex[item.second];
145 if (fSelected && pindex->GetBlockTime() > nSelectionIntervalStop)
147 if (mapSelectedBlocks.count(pindex->GetBlockHash()) > 0)
149 // compute the selection hash by hashing its proof-hash and the
150 // previous proof-of-stake modifier
151 uint256 hashProof = pindex->IsProofOfStake()? pindex->hashProofOfStake : pindex->GetBlockHash();
152 CDataStream ss(SER_GETHASH, 0);
153 ss << hashProof << nStakeModifierPrev;
154 uint256 hashSelection = Hash(ss.begin(), ss.end());
155 // the selection hash is divided by 2**32 so that proof-of-stake block
156 // is always favored over proof-of-work block. this is to preserve
157 // the energy efficiency property
158 if (pindex->IsProofOfStake())
159 hashSelection >>= 32;
160 if (fSelected && hashSelection < hashBest)
162 hashBest = hashSelection;
163 *pindexSelected = (const CBlockIndex*) pindex;
168 hashBest = hashSelection;
169 *pindexSelected = (const CBlockIndex*) pindex;
172 if (fDebug && GetBoolArg("-printstakemodifier"))
173 printf("SelectBlockFromCandidates: selection hash=%s\n", hashBest.ToString().c_str());
177 // Stake Modifier (hash modifier of proof-of-stake):
178 // The purpose of stake modifier is to prevent a txout (coin) owner from
179 // computing future proof-of-stake generated by this txout at the time
180 // of transaction confirmation. To meet kernel protocol, the txout
181 // must hash with a future stake modifier to generate the proof.
182 // Stake modifier consists of bits each of which is contributed from a
183 // selected block of a given block group in the past.
184 // The selection of a block is based on a hash of the block's proof-hash and
185 // the previous stake modifier.
186 // Stake modifier is recomputed at a fixed time interval instead of every
187 // block. This is to make it difficult for an attacker to gain control of
188 // additional bits in the stake modifier, even after generating a chain of
190 bool ComputeNextStakeModifier(const CBlockIndex* pindexCurrent, uint64_t& nStakeModifier, bool& fGeneratedStakeModifier)
193 fGeneratedStakeModifier = false;
194 const CBlockIndex* pindexPrev = pindexCurrent->pprev;
197 fGeneratedStakeModifier = true;
198 return true; // genesis block's modifier is 0
201 // First find current stake modifier and its generation block time
202 // if it's not old enough, return the same stake modifier
203 int64_t nModifierTime = 0;
204 if (!GetLastStakeModifier(pindexPrev, nStakeModifier, nModifierTime))
205 return error("ComputeNextStakeModifier: unable to get last modifier");
208 printf("ComputeNextStakeModifier: prev modifier=0x%016" PRIx64 " time=%s epoch=%u\n", nStakeModifier, DateTimeStrFormat(nModifierTime).c_str(), (unsigned int)nModifierTime);
210 if (nModifierTime / nModifierInterval >= pindexPrev->GetBlockTime() / nModifierInterval)
214 printf("ComputeNextStakeModifier: no new interval keep current modifier: pindexPrev nHeight=%d nTime=%u\n", pindexPrev->nHeight, (unsigned int)pindexPrev->GetBlockTime());
218 if (nModifierTime / nModifierInterval >= pindexCurrent->GetBlockTime() / nModifierInterval)
220 // fixed interval protocol requires current block timestamp also be in a different modifier interval
221 if (IsFixedModifierInterval(pindexCurrent->nTime))
225 printf("ComputeNextStakeModifier: no new interval keep current modifier: pindexCurrent nHeight=%d nTime=%u\n", pindexCurrent->nHeight, (unsigned int)pindexCurrent->GetBlockTime());
233 printf("ComputeNextStakeModifier: old modifier at block %s not meeting fixed modifier interval: pindexCurrent nHeight=%d nTime=%u\n", pindexCurrent->GetBlockHash().ToString().c_str(), pindexCurrent->nHeight, (unsigned int)pindexCurrent->GetBlockTime());
238 // Sort candidate blocks by timestamp
239 vector<pair<int64_t, uint256> > vSortedByTimestamp;
240 vSortedByTimestamp.reserve(64 * nModifierInterval / nStakeTargetSpacing);
241 int64_t nSelectionInterval = GetStakeModifierSelectionInterval();
242 int64_t nSelectionIntervalStart = (pindexPrev->GetBlockTime() / nModifierInterval) * nModifierInterval - nSelectionInterval;
243 const CBlockIndex* pindex = pindexPrev;
244 while (pindex && pindex->GetBlockTime() >= nSelectionIntervalStart)
246 vSortedByTimestamp.push_back(make_pair(pindex->GetBlockTime(), pindex->GetBlockHash()));
247 pindex = pindex->pprev;
249 int nHeightFirstCandidate = pindex ? (pindex->nHeight + 1) : 0;
250 reverse(vSortedByTimestamp.begin(), vSortedByTimestamp.end());
251 sort(vSortedByTimestamp.begin(), vSortedByTimestamp.end());
253 // Select 64 blocks from candidate blocks to generate stake modifier
254 uint64_t nStakeModifierNew = 0;
255 int64_t nSelectionIntervalStop = nSelectionIntervalStart;
256 map<uint256, const CBlockIndex*> mapSelectedBlocks;
257 for (int nRound=0; nRound<min(64, (int)vSortedByTimestamp.size()); nRound++)
259 // add an interval section to the current selection round
260 nSelectionIntervalStop += GetStakeModifierSelectionIntervalSection(nRound);
261 // select a block from the candidates of current round
262 if (!SelectBlockFromCandidates(vSortedByTimestamp, mapSelectedBlocks, nSelectionIntervalStop, nStakeModifier, &pindex))
263 return error("ComputeNextStakeModifier: unable to select block at round %d", nRound);
264 // write the entropy bit of the selected block
265 nStakeModifierNew |= (((uint64_t)pindex->GetStakeEntropyBit()) << nRound);
266 // add the selected block from candidates to selected list
267 mapSelectedBlocks.insert(make_pair(pindex->GetBlockHash(), pindex));
268 if (fDebug && GetBoolArg("-printstakemodifier"))
269 printf("ComputeNextStakeModifier: selected round %d stop=%s height=%d bit=%d\n", nRound, DateTimeStrFormat(nSelectionIntervalStop).c_str(), pindex->nHeight, pindex->GetStakeEntropyBit());
272 // Print selection map for visualization of the selected blocks
273 if (fDebug && GetBoolArg("-printstakemodifier"))
275 string strSelectionMap = "";
276 // '-' indicates proof-of-work blocks not selected
277 strSelectionMap.insert(0, pindexPrev->nHeight - nHeightFirstCandidate + 1, '-');
279 while (pindex && pindex->nHeight >= nHeightFirstCandidate)
281 // '=' indicates proof-of-stake blocks not selected
282 if (pindex->IsProofOfStake())
283 strSelectionMap.replace(pindex->nHeight - nHeightFirstCandidate, 1, "=");
284 pindex = pindex->pprev;
286 BOOST_FOREACH(const PAIRTYPE(uint256, const CBlockIndex*)& item, mapSelectedBlocks)
288 // 'S' indicates selected proof-of-stake blocks
289 // 'W' indicates selected proof-of-work blocks
290 strSelectionMap.replace(item.second->nHeight - nHeightFirstCandidate, 1, item.second->IsProofOfStake()? "S" : "W");
292 printf("ComputeNextStakeModifier: selection height [%d, %d] map %s\n", nHeightFirstCandidate, pindexPrev->nHeight, strSelectionMap.c_str());
296 printf("ComputeNextStakeModifier: new modifier=0x%016" PRIx64 " time=%s\n", nStakeModifierNew, DateTimeStrFormat(pindexPrev->GetBlockTime()).c_str());
299 nStakeModifier = nStakeModifierNew;
300 fGeneratedStakeModifier = true;
304 // The stake modifier used to hash for a stake kernel is chosen as the stake
305 // modifier about a selection interval later than the coin generating the kernel
306 static bool GetKernelStakeModifier(uint256 hashBlockFrom, uint64_t& nStakeModifier, int& nStakeModifierHeight, int64_t& nStakeModifierTime, bool fPrintProofOfStake)
309 if (!mapBlockIndex.count(hashBlockFrom))
310 return error("GetKernelStakeModifier() : block not indexed");
311 const CBlockIndex* pindexFrom = mapBlockIndex[hashBlockFrom];
312 nStakeModifierHeight = pindexFrom->nHeight;
313 nStakeModifierTime = pindexFrom->GetBlockTime();
314 int64_t nStakeModifierSelectionInterval = GetStakeModifierSelectionInterval();
315 const CBlockIndex* pindex = pindexFrom;
316 // loop to find the stake modifier later by a selection interval
317 while (nStakeModifierTime < pindexFrom->GetBlockTime() + nStakeModifierSelectionInterval)
320 { // reached best block; may happen if node is behind on block chain
321 if (fPrintProofOfStake || (pindex->GetBlockTime() + nStakeMinAge - nStakeModifierSelectionInterval > GetAdjustedTime()))
322 return error("GetKernelStakeModifier() : reached best block %s at height %d from block %s",
323 pindex->GetBlockHash().ToString().c_str(), pindex->nHeight, hashBlockFrom.ToString().c_str());
327 pindex = pindex->pnext;
328 if (pindex->GeneratedStakeModifier())
330 nStakeModifierHeight = pindex->nHeight;
331 nStakeModifierTime = pindex->GetBlockTime();
334 nStakeModifier = pindex->nStakeModifier;
338 bool GetKernelStakeModifier(uint256 hashBlockFrom, uint64_t& nStakeModifier)
340 int nStakeModifierHeight;
341 int64_t nStakeModifierTime;
343 return GetKernelStakeModifier(hashBlockFrom, nStakeModifier, nStakeModifierHeight, nStakeModifierTime, false);
347 // ppcoin kernel protocol
348 // coinstake must meet hash target according to the protocol:
349 // kernel (input 0) must meet the formula
350 // hash(nStakeModifier + txPrev.block.nTime + txPrev.offset + txPrev.nTime + txPrev.vout.n + nTime) < bnTarget * nCoinDayWeight
351 // this ensures that the chance of getting a coinstake is proportional to the
352 // amount of coin age one owns.
353 // The reason this hash is chosen is the following:
354 // nStakeModifier: scrambles computation to make it very difficult to precompute
355 // future proof-of-stake at the time of the coin's confirmation
356 // txPrev.block.nTime: prevent nodes from guessing a good timestamp to
357 // generate transaction for future advantage
358 // txPrev.offset: offset of txPrev inside block, to reduce the chance of
359 // nodes generating coinstake at the same time
360 // txPrev.nTime: reduce the chance of nodes generating coinstake at the same
362 // txPrev.vout.n: output number of txPrev, to reduce the chance of nodes
363 // generating coinstake at the same time
364 // block/tx hash should not be used here as they can be generated in vast
365 // quantities so as to generate blocks faster, degrading the system back into
366 // a proof-of-work situation.
368 bool CheckStakeKernelHash(uint32_t nBits, const CBlock& blockFrom, uint32_t nTxPrevOffset, const CTransaction& txPrev, const COutPoint& prevout, uint32_t nTimeTx, uint256& hashProofOfStake, uint256& targetProofOfStake, bool fPrintProofOfStake)
370 if (nTimeTx < txPrev.nTime) // Transaction timestamp violation
371 return error("CheckStakeKernelHash() : nTime violation");
373 uint32_t nTimeBlockFrom = blockFrom.GetBlockTime();
374 if (nTimeBlockFrom + nStakeMinAge > nTimeTx) // Min age requirement
375 return error("CheckStakeKernelHash() : min age violation");
377 CBigNum bnTargetPerCoinDay;
378 bnTargetPerCoinDay.SetCompact(nBits);
379 int64_t nValueIn = txPrev.vout[prevout.n].nValue;
381 uint256 hashBlockFrom = blockFrom.GetHash();
383 CBigNum bnCoinDayWeight = CBigNum(nValueIn) * GetWeight((int64_t)txPrev.nTime, (int64_t)nTimeTx) / COIN / nOneDay;
384 targetProofOfStake = (bnCoinDayWeight * bnTargetPerCoinDay).getuint256();
387 CDataStream ss(SER_GETHASH, 0);
388 uint64_t nStakeModifier = 0;
389 int nStakeModifierHeight = 0;
390 int64_t nStakeModifierTime = 0;
392 if (!GetKernelStakeModifier(hashBlockFrom, nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake))
394 ss << nStakeModifier;
396 ss << nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n << nTimeTx;
397 hashProofOfStake = Hash(ss.begin(), ss.end());
398 if (fPrintProofOfStake)
400 printf("CheckStakeKernelHash() : using modifier 0x%016" PRIx64 " at height=%d timestamp=%s for block from height=%d timestamp=%s\n",
401 nStakeModifier, nStakeModifierHeight,
402 DateTimeStrFormat(nStakeModifierTime).c_str(),
403 mapBlockIndex[hashBlockFrom]->nHeight,
404 DateTimeStrFormat(blockFrom.GetBlockTime()).c_str());
405 printf("CheckStakeKernelHash() : check modifier=0x%016" PRIx64 " nTimeBlockFrom=%u nTxPrevOffset=%u nTimeTxPrev=%u nPrevout=%u nTimeTx=%u hashTarget=%s hashProof=%s\n",
407 nTimeBlockFrom, nTxPrevOffset, txPrev.nTime, prevout.n, nTimeTx,
408 targetProofOfStake.ToString().c_str(), hashProofOfStake.ToString().c_str());
411 // Now check if proof-of-stake hash meets target protocol
412 if (CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay)
414 if (fDebug && !fPrintProofOfStake)
416 printf("CheckStakeKernelHash() : using modifier 0x%016" PRIx64 " at height=%d timestamp=%s for block from height=%d timestamp=%s\n",
417 nStakeModifier, nStakeModifierHeight,
418 DateTimeStrFormat(nStakeModifierTime).c_str(),
419 mapBlockIndex[hashBlockFrom]->nHeight,
420 DateTimeStrFormat(blockFrom.GetBlockTime()).c_str());
421 printf("CheckStakeKernelHash() : pass modifier=0x%016" PRIx64 " nTimeBlockFrom=%u nTxPrevOffset=%u nTimeTxPrev=%u nPrevout=%u nTimeTx=%u hashTarget=%s hashProof=%s\n",
423 nTimeBlockFrom, nTxPrevOffset, txPrev.nTime, prevout.n, nTimeTx,
424 targetProofOfStake.ToString().c_str(), hashProofOfStake.ToString().c_str());
433 static const uint32_t block1_suffix[9] = { 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0x000000e0 };
434 static const uint32_t block1_suffix_4way[4 * 9] = {
435 0x80000000, 0x80000000, 0x80000000, 0x80000000,
443 0x000000e0, 0x000000e0, 0x000000e0, 0x000000e0
447 static const uint32_t block2_suffix[8] = { 0x80000000, 0, 0, 0, 0, 0, 0, 0x00000100 };
448 static const uint32_t block2_suffix_4way[4 * 8] = {
449 0x80000000, 0x80000000, 0x80000000, 0x80000000,
456 0x00000100, 0x00000100, 0x00000100, 0x00000100
459 // Sha256 initial state
460 static const uint32_t sha256_initial[8] = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 };
462 extern "C" int sha256_use_4way();
464 extern "C" void sha256_transform(uint32_t *state, const uint32_t *block, int swap);
467 extern "C" void sha256_init_4way(uint32_t *state);
468 extern "C" void sha256_transform_4way(uint32_t *state, const uint32_t *block, int swap);
471 #include <immintrin.h>
473 extern "C" int sha256_use_ssse3();
474 bool fUseSSSE3 = sha256_use_ssse3() != 0;
476 inline void copyrow_swap32(uint32_t *to, uint32_t *from)
480 for (int i = 0; i < 4; i++)
481 to[i] = __builtin_bswap32(from[i]);
485 __m128i mask = _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3);
486 _mm_storeu_si128((__m128i *)&to[0], _mm_shuffle_epi8(_mm_loadu_si128((__m128i *)&from[0]), mask));
490 inline void copyrow_swap32(uint32_t *to, uint32_t *from)
492 for (int i = 0; i < 4; i++)
493 to[i] = __builtin_bswap32(from[i]);
497 bool fUse4Way = sha256_use_4way() != 0;
499 class ScanMidstateWorker
504 ScanMidstateWorker(unsigned char *kernel, uint32_t nBits, uint32_t nInputTxTime, int64_t nValueIn, uint32_t nIntervalBegin, uint32_t nIntervalEnd)
505 : kernel(kernel), nBits(nBits), nInputTxTime(nInputTxTime), bnValueIn(nValueIn), nIntervalBegin(nIntervalBegin), nIntervalEnd(nIntervalEnd)
507 solutions = vector<std::pair<uint256,uint32_t> >();
512 SetThreadPriority(THREAD_PRIORITY_LOWEST);
514 // Compute maximum possible target to filter out majority of obviously insufficient hashes
515 CBigNum bnTargetPerCoinDay;
516 bnTargetPerCoinDay.SetCompact(nBits);
517 uint256 nMaxTarget = (bnTargetPerCoinDay * bnValueIn * nStakeMaxAge / COIN / nOneDay).getuint256();
519 uint32_t blocks1[4 * 16] __attribute__((aligned(16)));
520 uint32_t blocks2[4 * 16] __attribute__((aligned(16)));
521 uint32_t candidates[4 * 8] __attribute__((aligned(16)));
523 vector<uint32_t> vRow = vector<uint32_t>(4);
524 uint32_t *pnKernel = (uint32_t *) kernel;
526 for(int i = 0; i < 7; i++)
528 fill(vRow.begin(), vRow.end(), pnKernel[i]);
529 copyrow_swap32(&blocks1[i*4], &vRow[0]);
532 memcpy(&blocks1[28], &block1_suffix_4way[0], 36*4); // sha256 padding
533 memcpy(&blocks2[32], &block2_suffix_4way[0], 32*4);
535 uint32_t nTimeStamps[4] = {0, 0, 0, 0};
536 uint32_t nHashes[4] = {0, 0, 0, 0};
538 // Search forward in time from the given timestamp
539 // Stopping search in case of shutting down
540 for (uint32_t nTimeTx=nIntervalBegin, nMaxTarget32 = nMaxTarget.Get32(7); nTimeTx<nIntervalEnd && !fShutdown; nTimeTx +=4)
542 sha256_init_4way(blocks2);
543 sha256_init_4way(candidates);
545 nTimeStamps[0] = nTimeTx;
546 nTimeStamps[1] = nTimeTx+1;
547 nTimeStamps[2] = nTimeTx+2;
548 nTimeStamps[3] = nTimeTx+3;
550 copyrow_swap32(&blocks1[24], &nTimeStamps[0]); // Kernel timestamps
552 sha256_transform_4way(&blocks2[0], &blocks1[0], 0); // first hashing
553 sha256_transform_4way(&candidates[0], &blocks2[0], 0); // second hashing
554 copyrow_swap32(&nHashes[0], &candidates[28]);
556 for(int nResult = 0; nResult < 4; nResult++)
558 if (nHashes[nResult] <= nMaxTarget32) // Possible hit
560 uint256 nHashProofOfStake = 0;
561 uint32_t *pnHashProofOfStake = (uint32_t *) &nHashProofOfStake;
563 for (int i = 0; i < 7; i++)
564 pnHashProofOfStake[i] = __builtin_bswap32(candidates[(i*4) + nResult]);
565 pnHashProofOfStake[7] = nHashes[nResult];
567 CBigNum bnCoinDayWeight = bnValueIn * GetWeight((int64_t)nInputTxTime, (int64_t)nTimeStamps[nResult]) / COIN / nOneDay;
568 CBigNum bnTargetProofOfStake = bnCoinDayWeight * bnTargetPerCoinDay;
570 if (bnTargetProofOfStake >= CBigNum(nHashProofOfStake))
571 solutions.push_back(std::pair<uint256,uint32_t>(nHashProofOfStake, nTimeStamps[nResult]));
579 SetThreadPriority(THREAD_PRIORITY_LOWEST);
581 // Compute maximum possible target to filter out majority of obviously insufficient hashes
582 CBigNum bnTargetPerCoinDay;
583 bnTargetPerCoinDay.SetCompact(nBits);
584 uint256 nMaxTarget = (bnTargetPerCoinDay * bnValueIn * nStakeMaxAge / COIN / nOneDay).getuint256();
587 SHA256_CTX ctx = workerCtx;
589 // Sha256 result buffer
590 uint32_t hashProofOfStake[8];
592 // Compute maximum possible target to filter out majority of obviously insufficient hashes
593 CBigNum bnTargetPerCoinDay;
594 bnTargetPerCoinDay.SetCompact(nBits);
596 uint256 nMaxTarget = (bnTargetPerCoinDay * bnValueIn * nStakeMaxAge / COIN / nOneDay).getuint256(),
597 *pnHashProofOfStake = (uint256 *)&hashProofOfStake;
599 // Search forward in time from the given timestamp
600 // Stopping search in case of shutting down
601 for (uint32_t nTimeTx=nIntervalBegin, nMaxTarget32 = nMaxTarget.Get32(7); nTimeTx<nIntervalEnd && !fShutdown; nTimeTx++)
603 // Complete first hashing iteration
605 SHA256_Update(&ctx, (unsigned char*)&nTimeTx, 4);
606 SHA256_Final((unsigned char*)&hash1, &ctx);
611 // Finally, calculate kernel hash
612 SHA256((unsigned char*)&hash1, sizeof(hashProofOfStake), (unsigned char*)&hashProofOfStake);
614 // Skip if hash doesn't satisfy the maximum target
615 if (hashProofOfStake[7] > nMaxTarget32)
618 CBigNum bnCoinDayWeight = bnValueIn * GetWeight((int64_t)nInputTxTime, (int64_t)nTimeTx) / COIN / nOneDay;
619 CBigNum bnTargetProofOfStake = bnCoinDayWeight * bnTargetPerCoinDay;
621 if (bnTargetProofOfStake >= CBigNum(*pnHashProofOfStake))
622 solutions.push_back(std::pair<uint256,uint32_t>(*pnHashProofOfStake, nTimeTx));
625 uint32_t block1[16] __attribute__((aligned(16)));
626 uint32_t block2[16] __attribute__((aligned(16)));
627 uint32_t candidate[8] __attribute__((aligned(16)));
629 memcpy(&block1[7], &block1_suffix[0], 36); // sha256 padding
630 memcpy(&block2[8], &block2_suffix[0], 32);
632 uint32_t *pnKernel = (uint32_t *) kernel;
633 copyrow_swap32(&block1[0], pnKernel);
634 block1[4] = __builtin_bswap32(pnKernel[4]);
635 block1[5] = __builtin_bswap32(pnKernel[5]);
637 // Search forward in time from the given timestamp
638 // Stopping search in case of shutting down
639 for (uint32_t nTimeTx=nIntervalBegin, nMaxTarget32 = nMaxTarget.Get32(7); nTimeTx<nIntervalEnd && !fShutdown; nTimeTx++)
641 memcpy(&block2[0], &sha256_initial[0], 32);
642 memcpy(&candidate[0], &sha256_initial[0], 32);
644 block1[6] = __builtin_bswap32(nTimeTx);
646 sha256_transform(&block2[0], &block1[0], 0); // first hashing
647 sha256_transform(&candidate[0], &block2[0], 0); // second hashing
649 uint32_t nHash7 = __builtin_bswap32(candidate[7]);
651 // Skip if hash doesn't satisfy the maximum target
652 if (nHash7 > nMaxTarget32)
655 uint256 nHashProofOfStake;
656 uint32_t *pnHashProofOfStake = (uint32_t *) &nHashProofOfStake;
658 for (int i = 0; i < 7; i++)
659 pnHashProofOfStake[i] = __builtin_bswap32(candidate[i]);
660 pnHashProofOfStake[7] = nHash7;
662 CBigNum bnCoinDayWeight = bnValueIn * GetWeight((int64_t)nInputTxTime, (int64_t)nTimeTx) / COIN / nOneDay;
663 CBigNum bnTargetProofOfStake = bnCoinDayWeight * bnTargetPerCoinDay;
665 if (bnTargetProofOfStake >= CBigNum(nHashProofOfStake))
666 solutions.push_back(std::pair<uint256,uint32_t>(nHashProofOfStake, nTimeTx));
679 vector<std::pair<uint256,uint32_t> >& GetSolutions()
685 std::vector<std::pair<uint256,uint32_t> > solutions;
689 uint32_t nInputTxTime;
691 uint32_t nIntervalBegin;
692 uint32_t nIntervalEnd;
696 class ScanMidstateWorker
701 ScanMidstateWorker(unsigned char *kernel, uint32_t nBits, uint32_t nInputTxTime, int64_t nValueIn, uint32_t nIntervalBegin, uint32_t nIntervalEnd)
702 : nBits(nBits), nInputTxTime(nInputTxTime), bnValueIn(nValueIn), nIntervalBegin(nIntervalBegin), nIntervalEnd(nIntervalEnd)
704 // Init new sha256 context and update it
705 // with first 24 bytes of kernel
706 SHA256_Init(&workerCtx);
707 SHA256_Update(&workerCtx, kernel, 8 + 16);
708 solutions = vector<std::pair<uint256,uint32_t> >();
713 SetThreadPriority(THREAD_PRIORITY_LOWEST);
714 SHA256_CTX ctx = workerCtx;
716 // Sha256 result buffer
717 uint32_t hashProofOfStake[8];
719 // Compute maximum possible target to filter out majority of obviously insufficient hashes
720 CBigNum bnTargetPerCoinDay;
721 bnTargetPerCoinDay.SetCompact(nBits);
723 uint256 nMaxTarget = (bnTargetPerCoinDay * bnValueIn * nStakeMaxAge / COIN / nOneDay).getuint256(),
724 *pnHashProofOfStake = (uint256 *)&hashProofOfStake;
726 // Search forward in time from the given timestamp
727 // Stopping search in case of shutting down
728 for (uint32_t nTimeTx=nIntervalBegin, nMaxTarget32 = nMaxTarget.Get32(7); nTimeTx<nIntervalEnd && !fShutdown; nTimeTx++)
730 // Complete first hashing iteration
732 SHA256_Update(&ctx, (unsigned char*)&nTimeTx, 4);
733 SHA256_Final((unsigned char*)&hash1, &ctx);
738 // Finally, calculate kernel hash
739 SHA256((unsigned char*)&hash1, sizeof(hashProofOfStake), (unsigned char*)&hashProofOfStake);
741 // Skip if hash doesn't satisfy the maximum target
742 if (hashProofOfStake[7] > nMaxTarget32)
745 CBigNum bnCoinDayWeight = bnValueIn * GetWeight((int64_t)nInputTxTime, (int64_t)nTimeTx) / COIN / nOneDay;
746 CBigNum bnTargetProofOfStake = bnCoinDayWeight * bnTargetPerCoinDay;
748 if (bnTargetProofOfStake >= CBigNum(*pnHashProofOfStake))
749 solutions.push_back(std::pair<uint256,uint32_t>(*pnHashProofOfStake, nTimeTx));
753 vector<std::pair<uint256,uint32_t> >& GetSolutions()
759 SHA256_CTX workerCtx;
760 std::vector<std::pair<uint256,uint32_t> > solutions;
763 uint32_t nInputTxTime;
765 uint32_t nIntervalBegin;
766 uint32_t nIntervalEnd;
770 // Scan given kernel for solution
771 bool ScanKernelForward(unsigned char *kernel, uint32_t nBits, uint32_t nInputTxTime, int64_t nValueIn, std::pair<uint32_t, uint32_t> &SearchInterval, std::vector<std::pair<uint256, uint32_t> > &solutions)
773 // TODO: custom threads amount
775 uint32_t nThreads = boost::thread::hardware_concurrency();
776 uint32_t nPart = (SearchInterval.second - SearchInterval.first) / nThreads;
779 ScanMidstateWorker *workers = new ScanMidstateWorker[nThreads];
781 boost::thread_group group;
782 for(size_t i = 0; i < nThreads; i++)
784 uint32_t nBegin = SearchInterval.first + nPart * i;
785 uint32_t nEnd = SearchInterval.first + nPart * (i + 1);
786 workers[i] = ScanMidstateWorker(kernel, nBits, nInputTxTime, nValueIn, nBegin, nEnd);
787 boost::function<void()> workerFnc = boost::bind(&ScanMidstateWorker::Do, &workers[i]);
788 group.create_thread(workerFnc);
794 for(size_t i = 0; i < nThreads; i++)
796 std::vector<std::pair<uint256, uint32_t> > ws = workers[i].GetSolutions();
797 solutions.insert(solutions.end(), ws.begin(), ws.end());
802 if (solutions.size() == 0)
811 // Scan given midstate for solution
812 bool ScanContextBackward(SHA256_CTX &ctx, uint32_t nBits, uint32_t nInputTxTime, int64_t nValueIn, std::pair<uint32_t, uint32_t> &SearchInterval, std::pair<uint256, uint32_t> &solution)
814 CBigNum bnTargetPerCoinDay;
815 bnTargetPerCoinDay.SetCompact(nBits);
817 // Get maximum possible target to filter out the majority of obviously insufficient hashes
818 CBigNum bnMaxTargetPerCoinDay = bnTargetPerCoinDay * CBigNum(nValueIn) * nStakeMaxAge / COIN / nOneDay;
819 uint256 maxTarget = bnMaxTargetPerCoinDay.getuint256();
821 SHA256_CTX ctxCopy = ctx;
823 // Search backward in time from the given timestamp
824 // Stopping search in case of shutting down
825 for (uint32_t nTimeTx=SearchInterval.first; nTimeTx>SearchInterval.second && !fShutdown; nTimeTx--)
827 // Complete first hashing iteration
829 SHA256_Update(&ctxCopy, (unsigned char*)&nTimeTx, 4);
830 SHA256_Final((unsigned char*)&hash1, &ctxCopy);
835 // Finally, calculate kernel hash
836 uint256 hashProofOfStake;
837 SHA256((unsigned char*)&hash1, sizeof(hashProofOfStake), (unsigned char*)&hashProofOfStake);
839 // Skip if hash doesn't satisfy the maximum target
840 if (hashProofOfStake > maxTarget)
843 CBigNum bnCoinDayWeight = CBigNum(nValueIn) * GetWeight((int64_t)nInputTxTime, (int64_t)nTimeTx) / COIN / nOneDay;
844 CBigNum bnTargetProofOfStake = bnCoinDayWeight * bnTargetPerCoinDay;
846 if (bnTargetProofOfStake >= CBigNum(hashProofOfStake))
848 solution.first = hashProofOfStake;
849 solution.second = nTimeTx;
858 // Check kernel hash target and coinstake signature
859 bool CheckProofOfStake(const CTransaction& tx, unsigned int nBits, uint256& hashProofOfStake, uint256& targetProofOfStake)
861 if (!tx.IsCoinStake())
862 return error("CheckProofOfStake() : called on non-coinstake %s", tx.GetHash().ToString().c_str());
864 // Kernel (input 0) must match the stake hash target per coin age (nBits)
865 const CTxIn& txin = tx.vin[0];
867 // First try finding the previous transaction in database
871 if (!txPrev.ReadFromDisk(txdb, txin.prevout, txindex))
872 return tx.DoS(1, error("CheckProofOfStake() : INFO: read txPrev failed")); // previous transaction not in main chain, may occur during initial download
879 if (!VerifySignature(txPrev, tx, 0, MANDATORY_SCRIPT_VERIFY_FLAGS, 0))
880 return tx.DoS(100, error("CheckProofOfStake() : VerifySignature failed on coinstake %s", tx.GetHash().ToString().c_str()));
884 if (!block.ReadFromDisk(txindex.pos.nFile, txindex.pos.nBlockPos, false))
885 return fDebug? error("CheckProofOfStake() : read block failed") : false; // unable to read block of previous transaction
887 if (!CheckStakeKernelHash(nBits, block, txindex.pos.nTxPos - txindex.pos.nBlockPos, txPrev, txin.prevout, tx.nTime, hashProofOfStake, targetProofOfStake, fDebug))
888 return tx.DoS(1, error("CheckProofOfStake() : INFO: check kernel failed on coinstake %s, hashProof=%s", tx.GetHash().ToString().c_str(), hashProofOfStake.ToString().c_str())); // may occur during initial download or if behind on block chain sync
893 // Get stake modifier checksum
894 uint32_t GetStakeModifierChecksum(const CBlockIndex* pindex)
896 assert (pindex->pprev || pindex->GetBlockHash() == (!fTestNet ? hashGenesisBlock : hashGenesisBlockTestNet));
897 // Hash previous checksum with flags, hashProofOfStake and nStakeModifier
898 CDataStream ss(SER_GETHASH, 0);
900 ss << pindex->pprev->nStakeModifierChecksum;
901 ss << pindex->nFlags << pindex->hashProofOfStake << pindex->nStakeModifier;
902 uint256 hashChecksum = Hash(ss.begin(), ss.end());
903 hashChecksum >>= (256 - 32);
904 return static_cast<uint32_t>(hashChecksum.Get64());
907 // Check stake modifier hard checkpoints
908 bool CheckStakeModifierCheckpoints(int nHeight, uint32_t nStakeModifierChecksum)
910 MapModifierCheckpoints& checkpoints = (fTestNet ? mapStakeModifierCheckpointsTestNet : mapStakeModifierCheckpoints);
912 if (checkpoints.count(nHeight))
913 return nStakeModifierChecksum == checkpoints[nHeight];