Merge #1511: Introduce per-txin sighash midstate cache for legacy/p2sh/segwitv0 scripts

eb64d24 Merge bitcoin/bitcoin#32473: Introduce per-txin sighash midstate cache for legacy/p2sh/segwitv0 scripts (merge-script)

Pull request description:

  Backport of bitcoin/bitcoin#32473

  Additional cache index bit added for sighash combination with `SIGHASH_RANGEPROOF`

ACKs for top commit:
  delta1:
    ACK eb64d24

Tree-SHA512: 94014e726ff16473809672f3e01a8e4d11c4abd38b3ae3ae64b8b9ae61be2e3c246157dca5a3a3afc4b85cc8ec69e23181af8f11c36e0b43cfac2dcb3e2e8d70

Author: delta1

src/script/interpreter.cpp

@@ -2822,11 +2822,59 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
     return true;
 }
 
+int SigHashCache::CacheIndex(int32_t hash_type) const noexcept
+{
+    // Note that we do not distinguish between BASE and WITNESS_V0 to determine the cache index,
+    // because no input can simultaneously use both.
+    return 8 * !!(hash_type & SIGHASH_RANGEPROOF) +                       // bit 3
+           3 * !!(hash_type & SIGHASH_ANYONECANPAY) +                    // bit 2
+           2 * ((hash_type & 0x1f) == SIGHASH_SINGLE) +                  // bit 1
+           1 * ((hash_type & 0x1f) == SIGHASH_NONE);                     // bit 0
+}
+
+bool SigHashCache::Load(int32_t hash_type, const CScript& script_code, CHashWriter& writer) const noexcept
+{
+    auto& entry = m_cache_entries[CacheIndex(hash_type)];
+    if (entry.has_value()) {
+        if (script_code == entry->first) {
+            writer.~CHashWriter();
+            new (&writer) CHashWriter(entry->second);
+            return true;
+        }
+    }
+    return false;
+}
+
+void SigHashCache::Store(int32_t hash_type, const CScript& script_code, const CHashWriter& writer) noexcept
+{
+    auto& entry = m_cache_entries[CacheIndex(hash_type)];
+    entry.emplace(script_code, writer);
+}
+
 template <class T>
-uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CConfidentialValue& amount, SigVersion sigversion, unsigned int flags, const PrecomputedTransactionData* cache)
+uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CConfidentialValue& amount, SigVersion sigversion, unsigned int flags, const PrecomputedTransactionData* cache, SigHashCache* sighash_cache)
 {
     assert(nIn < txTo.vin.size());
 
+    if (sigversion != SigVersion::WITNESS_V0) {
+        // Check for invalid use of SIGHASH_SINGLE
+        if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
+            if (nIn >= txTo.vout.size()) {
+                //  nOut out of range
+                return uint256::ONE;
+            }
+        }
+    }
+
+    CHashWriter ss(SER_GETHASH, 0);
+
+    // Try to compute using cached SHA256 midstate.
+    if (sighash_cache && sighash_cache->Load(nHashType, scriptCode, ss)) {
+        // Add sighash type and hash.
+        ss << nHashType;
+        return ss.GetHash();
+    }
+
     if (sigversion == SigVersion::WITNESS_V0) {
         uint256 hashPrevouts;
         uint256 hashSequence;
@@ -2855,24 +2903,23 @@ uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn
                 hashRangeproofs = cacheready ? cache->hashRangeproofs : GetRangeproofsHash(txTo);
             }
         } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
-            CHashWriter ss(SER_GETHASH, 0);
-            ss << txTo.vout[nIn];
-            hashOutputs = ss.GetHash();
+            CHashWriter inner_ss(SER_GETHASH, 0);
+            inner_ss << txTo.vout[nIn];
+            hashOutputs = inner_ss.GetHash();
 
             if (fRangeproof) {
-                CHashWriter ss(SER_GETHASH, 0);
+                CHashWriter inner_ss(SER_GETHASH, 0);
                 if (nIn < txTo.witness.vtxoutwit.size()) {
-                    ss << txTo.witness.vtxoutwit[nIn].vchRangeproof;
-                    ss << txTo.witness.vtxoutwit[nIn].vchSurjectionproof;
+                    inner_ss << txTo.witness.vtxoutwit[nIn].vchRangeproof;
+                    inner_ss << txTo.witness.vtxoutwit[nIn].vchSurjectionproof;
                 } else {
-                    ss << (unsigned char) 0;
-                    ss << (unsigned char) 0;
+                    inner_ss << (unsigned char) 0;
+                    inner_ss << (unsigned char) 0;
                 }
-                hashRangeproofs = ss.GetHash();
+                hashRangeproofs = inner_ss.GetHash();
             }
         }
 
-        CHashWriter ss(SER_GETHASH, 0);
         // Version
         ss << txTo.nVersion;
         // Input prevouts/nSequence (none/all, depending on flags)
@@ -2905,26 +2952,19 @@ uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn
         }
         // Locktime
         ss << txTo.nLockTime;
-        // Sighash type
-        ss << nHashType;
-
-        return ss.GetHash();
+    } else {
+        // Wrapper to serialize only the necessary parts of the transaction being signed
+        CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType, flags);
+        ss << txTmp;
     }
 
-    // Check for invalid use of SIGHASH_SINGLE
-    if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
-        if (nIn >= txTo.vout.size()) {
-            //  nOut out of range
-            return uint256::ONE;
-        }
+    // If a cache object was provided, store the midstate there.
+    if (sighash_cache != nullptr) {
+        sighash_cache->Store(nHashType, scriptCode, ss);
     }
 
-    // Wrapper to serialize only the necessary parts of the transaction being signed
-    CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType, flags);
-
     // Serialize and hash
-    CHashWriter ss(SER_GETHASH, 0);
-    ss << txTmp << nHashType;
+    ss << nHashType;
     return ss.GetHash();
 }
 
@@ -2957,7 +2997,7 @@ bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vecto
     // Witness sighashes need the amount.
     if (sigversion == SigVersion::WITNESS_V0 && amount.IsNull()) return HandleMissingData(m_mdb);
 
-    uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, flags, this->txdata);
+    uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, flags, this->txdata, &m_sighash_cache);
 
     if (!VerifyECDSASignature(vchSig, pubkey, sighash))
         return false;

src/script/interpreter.h

@@ -289,8 +289,27 @@ extern const CHashWriter HASHER_TAPSIGHASH_ELEMENTS; //!< Hasher with tag "TapSi
 extern const CHashWriter HASHER_TAPLEAF_ELEMENTS;    //!< Hasher with tag "TapLeaf" pre-fed to it.
 extern const CHashWriter HASHER_TAPBRANCH_ELEMENTS;  //!< Hasher with tag "TapBranch" pre-fed to it.
 
+/** Data structure to cache SHA256 midstates for the ECDSA sighash calculations
+ *  (bare, P2SH, P2WPKH, P2WSH). */
+class SigHashCache
+{
+    /** For each sighash mode (ALL, SINGLE, NONE, ALL|ANYONE, SINGLE|ANYONE, NONE|ANYONE, ALL|RANGEPROOF, SINGLE|RANGEPROOF, NONE|RANGEPROOF, ALL|ANYONE|RANGEPROOF, SINGLE|ANYONE|RANGEPROOF, NONE|ANYONE|RANGEPROOF),
+     *  optionally store a scriptCode which the hash is for, plus a midstate for the SHA256
+     *  computation just before adding the hash_type itself. */
+    std::optional<std::pair<CScript, CHashWriter>> m_cache_entries[16];
+
+    /** Given a hash_type, find which of the cache entries is to be used. */
+    int CacheIndex(int32_t hash_type) const noexcept;
+
+public:
+    /** Load into writer the SHA256 midstate if found in this cache. */
+    [[nodiscard]] bool Load(int32_t hash_type, const CScript& script_code, CHashWriter& writer) const noexcept;
+    /** Store into this cache object the provided SHA256 midstate. */
+    void Store(int32_t hash_type, const CScript& script_code, const CHashWriter& writer) noexcept;
+};
+
 template <class T>
-uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CConfidentialValue& amount, SigVersion sigversion, unsigned int flags, const PrecomputedTransactionData* cache = nullptr);
+uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CConfidentialValue& amount, SigVersion sigversion, unsigned int flags, const PrecomputedTransactionData* cache = nullptr, SigHashCache* sighash_cache = nullptr);
 
 class BaseSignatureChecker
 {
@@ -374,6 +393,7 @@ class GenericTransactionSignatureChecker : public BaseSignatureChecker
     unsigned int nIn;
     const CConfidentialValue amount;
     const PrecomputedTransactionData* txdata;
+    mutable SigHashCache m_sighash_cache;
 
 protected:
     virtual bool VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& vchPubKey, const uint256& sighash) const;

src/test/fuzz/script_interpreter.cpp

@@ -7,6 +7,7 @@
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>
+#include <util/check.h>
 
 #include <cstdint>
 #include <optional>
@@ -39,3 +40,29 @@ FUZZ_TARGET(script_interpreter)
         (void)CastToBool(ConsumeRandomLengthByteVector(fuzzed_data_provider));
     }
 }
+
+/** Differential fuzzing for SignatureHash with and without cache. */
+
+FUZZ_TARGET(sighash_cache)
+{
+    FuzzedDataProvider provider(buffer.data(), buffer.size());
+
+    // Get inputs to the sighash function that won't change across types.
+    const auto scriptcode{ConsumeScript(provider)};
+    const auto tx{ConsumeTransaction(provider, std::nullopt)};
+    if (tx.vin.empty()) return;
+    const auto in_index{provider.ConsumeIntegralInRange<uint32_t>(0, tx.vin.size() - 1)};
+    const auto amount{ConsumeMoney(provider)};
+    const auto sigversion{(SigVersion)provider.ConsumeIntegralInRange(0, 1)};
+
+    // Check the sighash function will give the same result for 100 fuzzer-generated hash types whether or not a cache is
+    // provided. The cache is conserved across types to exercise cache hits.
+    SigHashCache sighash_cache{};
+    for (int i{0}; i < 100; ++i) {
+        const auto hash_type{((i & 2) == 0) ? provider.ConsumeIntegral<int8_t>() : provider.ConsumeIntegral<int32_t>()};
+        const auto nocache_res{SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, 0)};
+        const auto cache_res{SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, 0, nullptr, &sighash_cache)};
+        Assert(nocache_res == cache_res);
+    }
+}
+

src/test/sighash_tests.cpp

@@ -207,4 +207,94 @@ BOOST_AUTO_TEST_CASE(sighash_from_data)
         BOOST_CHECK_MESSAGE(sh.GetHex() == sigHashHex, strTest);
     }
 }
+
+BOOST_AUTO_TEST_CASE(sighash_caching)
+{
+    // Get a script, transaction and parameters as inputs to the sighash function.
+    CScript scriptcode;
+    RandomScript(scriptcode);
+    CScript diff_scriptcode{scriptcode};
+    diff_scriptcode << OP_1;
+    CMutableTransaction tx;
+    RandomTransaction(tx,false);
+    const auto in_index{static_cast<uint32_t>(InsecureRandRange(tx.vin.size()))};
+    const auto amount{CConfidentialValue(CAmount(10))};
+
+    // Exercise the sighash function under both legacy and segwit v0.
+    for (const auto sigversion: {SigVersion::BASE, SigVersion::WITNESS_V0}) {
+        // For each, run it against all the 6 standard hash types and a few additional random ones.
+        std::vector<int32_t> hash_types{{SIGHASH_ALL, SIGHASH_SINGLE, SIGHASH_NONE, SIGHASH_ALL | SIGHASH_ANYONECANPAY,
+                                          SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, SIGHASH_NONE | SIGHASH_ANYONECANPAY,
+                                          SIGHASH_ANYONECANPAY, 0, std::numeric_limits<int32_t>::max()}};
+        for (int i{0}; i < 10; ++i) {
+            hash_types.push_back(i % 2 == 0 ? static_cast<int32_t>(InsecureRandRange(256)) : static_cast<int32_t>(g_insecure_rand_ctx.rand32()));
+        }
+
+        // Reuse the same cache across script types. This must not cause any issue as the cached value for one hash type must never
+        // be confused for another (instantiating the cache within the loop instead would prevent testing this).
+        SigHashCache cache;
+        for (const auto hash_type: hash_types) {
+            const bool expect_one{sigversion == SigVersion::BASE && ((hash_type & 0x1f) == SIGHASH_SINGLE) && in_index >= tx.vout.size()};
+
+            // The result of computing the sighash should be the same with or without cache.
+            const auto sighash_with_cache{SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0},nullptr, &cache)};
+            const auto sighash_no_cache{SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, nullptr)};
+            BOOST_CHECK_EQUAL(sighash_with_cache, sighash_no_cache);
+
+            // Calling the cached version again should return the same value again.
+            BOOST_CHECK_EQUAL(sighash_with_cache, SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache));
+
+            // While here we might as well also check that the result for legacy is the same as for the old SignatureHash() function.
+            if (sigversion == SigVersion::BASE) {
+                BOOST_CHECK_EQUAL(sighash_with_cache, SignatureHashOld(scriptcode, CTransaction(tx), in_index, hash_type));
+            }
+
+            // Calling with a different scriptcode (for instance in case a CODESEP is encountered) will not return the cache value but
+            // overwrite it. The sighash will always be different except in case of legacy SIGHASH_SINGLE bug.
+            const auto sighash_with_cache2{SignatureHash(diff_scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache)};
+            const auto sighash_no_cache2{SignatureHash(diff_scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, nullptr)};
+            BOOST_CHECK_EQUAL(sighash_with_cache2, sighash_no_cache2);
+            if (!expect_one) {
+                BOOST_CHECK_NE(sighash_with_cache, sighash_with_cache2);
+            } else {
+                BOOST_CHECK_EQUAL(sighash_with_cache, sighash_with_cache2);
+                BOOST_CHECK_EQUAL(sighash_with_cache, uint256::ONE);
+            }
+
+            // Calling the cached version again should return the same value again.
+            BOOST_CHECK_EQUAL(sighash_with_cache2, SignatureHash(diff_scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache));
+
+            // And if we store a different value for this scriptcode and hash type it will return that instead.
+            {
+                CHashWriter h{SER_GETHASH, 0};
+                h << 42;
+                cache.Store(hash_type, scriptcode, h);
+                const auto stored_hash{h.GetHash()};
+                BOOST_CHECK(cache.Load(hash_type, scriptcode, h));
+                const auto loaded_hash{h.GetHash()};
+                BOOST_CHECK_EQUAL(stored_hash, loaded_hash);
+            }
+
+            // And using this mutated cache with the sighash function will return the new value (except in the legacy SIGHASH_SINGLE bug
+            // case in which it'll return 1).
+            if (!expect_one) {
+                BOOST_CHECK_NE(SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache), sighash_with_cache);
+                CHashWriter h{SER_GETHASH, 0};
+                BOOST_CHECK(cache.Load(hash_type, scriptcode, h));
+                h << hash_type;
+                const auto new_hash{h.GetHash()};
+                BOOST_CHECK_EQUAL(SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache), new_hash);
+            } else {
+                BOOST_CHECK_EQUAL(SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, int32_t{0}, nullptr, &cache), uint256::ONE);
+            }
+
+            // Wipe the cache and restore the correct cached value for this scriptcode and hash_type before starting the next iteration.
+            CHashWriter dummy{SER_GETHASH, 0};
+            cache.Store(hash_type, diff_scriptcode, dummy);
+            (void)SignatureHash(scriptcode, tx, in_index, hash_type, amount, sigversion, 0, nullptr, &cache);
+            BOOST_CHECK(cache.Load(hash_type, scriptcode, dummy) || expect_one);
+        }
+    }
+}
+
 BOOST_AUTO_TEST_SUITE_END()