Implement keccak256 operator and softfork

Cargo.toml

@@ -75,6 +75,8 @@ hex-literal = { workspace = true }
 # for secp sigs
 k256 = { version = "0.13.4", features = ["ecdsa"] }
 p256 = { version = "0.13.2", features = ["ecdsa"] }
+# for keccak256
+sha3 = "0.10.8"
 
 [dev-dependencies]
 rstest = { workspace = true }

docs/new-operator-checklist.md

@@ -24,17 +24,22 @@ Follow this checklist when adding operators:
 - Include the new operators in the fuzzer `fuzz/fuzz_targets/operators.rs`
 - Include the new operators and their signatures in `tools/src/bin/generate-fuzz-corpus.rs`.
   Make sure to run this and fuzz for some time before landing the PR.
-- extend the benchmark-clvm-cost.rs to include benchmarks for the new operator,
+- Extend the benchmark-clvm-cost.rs to include benchmarks for the new operator,
   to establish its cost.
-- The opcode decoding and dispatching happens in `src/ChiaDialect.rs`
+- The opcode decoding and dispatching happens in `src/chia_dialect.rs`
+- Add support for the new operators in `src/test_ops.rs` `parse_atom()`, to
+  compile the name of the operator to its corresponding opcode.
+- If the operator(s) are part of an extension to `softfork`, add another value
+  to the `OperatorSet` enum.
 - Add a new flag (in `src/chia_dialect.rs`) that controls whether the
   operators are activated or not. This is required in order for the chain to exist
   in a state _before_ your soft-fork has activated, and behave consistently with
   versions of the node that doesn't know about your new operators.
   Make sure the value of the flag does not collide with any of the flags in
-  [chia_rs](https://github.com/Chia-Network/chia_rs/blob/main/src/gen/flags.rs).
+  [chia_rs](https://github.com/Chia-Network/chia_rs/blob/main/crates/chia-consensus/src/gen/flags.rs).
   This is a quirk where both of these repos share the same flags space.
 - Once a soft-fork has activated, if everything on chain before the softfork is
   compatible with the new rules (which is likely and ought to be the ambition
   with all soft-forks), all logic surrounding activating or deactivating the
   soft-fork should be removed.
+- Expose the new flag(s) to python in chia_rs.

fuzz/Cargo.toml

@@ -71,3 +71,9 @@ name = "allocator"
 path = "fuzz_targets/allocator.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "keccak"
+path = "fuzz_targets/keccak.rs"
+test = false
+doc = false

fuzz/fuzz_targets/keccak.rs

@@ -0,0 +1,16 @@
+#![no_main]
+use clvmr::keccak256_ops::op_keccak256;
+use clvmr::{reduction::Reduction, Allocator, NodePtr};
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let mut a = Allocator::new();
+    let blob = a.new_atom(data).expect("failed to create atom");
+    let args = a
+        .new_pair(blob, NodePtr::NIL)
+        .expect("failed to create pair");
+    let Reduction(cost, node) = op_keccak256(&mut a, args, 11000000000).expect("keccak256 failed");
+    assert!(cost >= 210);
+    assert!(node.is_atom());
+    assert_eq!(a.atom_len(node), 32);
+});

fuzz/fuzz_targets/operators.rs

@@ -9,6 +9,7 @@ use clvmr::bls_ops::{
 };
 use clvmr::core_ops::{op_cons, op_eq, op_first, op_if, op_listp, op_raise, op_rest};
 use clvmr::cost::Cost;
+use clvmr::keccak256_ops::op_keccak256;
 use clvmr::more_ops::{
     op_add, op_all, op_any, op_ash, op_coinid, op_concat, op_div, op_divmod, op_gr, op_gr_bytes,
     op_logand, op_logior, op_lognot, op_logxor, op_lsh, op_mod, op_modpow, op_multiply, op_not,
@@ -20,7 +21,7 @@ use clvmr::serde::node_from_bytes;
 
 type Opf = fn(&mut Allocator, NodePtr, Cost) -> Response;
 
-const FUNS: [Opf; 45] = [
+const FUNS: [Opf; 46] = [
     op_if as Opf,
     op_cons as Opf,
     op_first as Opf,
@@ -68,6 +69,8 @@ const FUNS: [Opf; 45] = [
     // Secp operators
     op_secp256k1_verify as Opf,
     op_secp256r1_verify as Opf,
+    // keccak operator
+    op_keccak256 as Opf,
 ];
 
 fuzz_target!(|data: &[u8]| {

op-tests/test-keccak256.txt

@@ -0,0 +1,12 @@
+; the format for these test cases are:
+; expression => expected result | expected-cost
+
+keccak256 "foobar" => 0x38d18acb67d25c8bb9942764b62f18e17054f66a817bd4295423adf9ed98873e | 542
+keccak256 "f" "oobar" => 0x38d18acb67d25c8bb9942764b62f18e17054f66a817bd4295423adf9ed98873e | 702
+keccak256 "f" "o" "obar" => 0x38d18acb67d25c8bb9942764b62f18e17054f66a817bd4295423adf9ed98873e | 862
+keccak256 "f" "o" "o" "bar" => 0x38d18acb67d25c8bb9942764b62f18e17054f66a817bd4295423adf9ed98873e | 1022
+keccak256 "f" "o" "o" "b" "a" "r" => 0x38d18acb67d25c8bb9942764b62f18e17054f66a817bd4295423adf9ed98873e | 1342
+
+keccak256 "foo" => 0x41b1a0649752af1b28b3dc29a1556eee781e4a4c3a1f7f53f90fa834de098c4d | 536
+keccak256 "fo" "o" => 0x41b1a0649752af1b28b3dc29a1556eee781e4a4c3a1f7f53f90fa834de098c4d | 696
+keccak256 "f" "o" "o" => 0x41b1a0649752af1b28b3dc29a1556eee781e4a4c3a1f7f53f90fa834de098c4d | 856

src/chia_dialect.rs

@@ -8,6 +8,7 @@ use crate::core_ops::{op_cons, op_eq, op_first, op_if, op_listp, op_raise, op_re
 use crate::cost::Cost;
 use crate::dialect::{Dialect, OperatorSet};
 use crate::err_utils::err;
+use crate::keccak256_ops::op_keccak256;
 use crate::more_ops::{
     op_add, op_all, op_any, op_ash, op_coinid, op_concat, op_div, op_divmod, op_gr, op_gr_bytes,
     op_logand, op_logior, op_lognot, op_logxor, op_lsh, op_mod, op_modpow, op_multiply, op_not,
@@ -24,6 +25,14 @@ pub const NO_UNKNOWN_OPS: u32 = 0x0002;
 // the number of pairs
 pub const LIMIT_HEAP: u32 = 0x0004;
 
+// enables the keccak256 op *outside* the softfork guard.
+// This is a hard-fork and should only be enabled when it activates
+pub const ENABLE_KECCAK_OPS_OUTSIDE_GUARD: u32 = 0x0100;
+
+// enables the keccak softfork extension. This is a soft-fork and
+// should be set for blocks past the activation height.
+pub const ENABLE_KECCAK: u32 = 0x0200;
+
 // The default mode when running grnerators in mempool-mode (i.e. the stricter
 // mode)
 pub const MEMPOOL_MODE: u32 = NO_UNKNOWN_OPS | LIMIT_HEAP;
@@ -59,10 +68,20 @@ impl Dialect for ChiaDialect {
         o: NodePtr,
         argument_list: NodePtr,
         max_cost: Cost,
-        _extension: OperatorSet,
+        extension: OperatorSet,
     ) -> Response {
-        // new softfork extensions go here, to enable new feature flags
-        let flags = self.flags;
+        let flags = self.flags
+            | match extension {
+                // This is the default set of operators, so no special flags need to be added.
+                OperatorSet::Default => 0,
+
+                // Since BLS has been hardforked in universally, this has no effect.
+                OperatorSet::Bls => 0,
+
+                // Keccak is allowed as if it were a default operator, inside of the softfork guard.
+                OperatorSet::Keccak => ENABLE_KECCAK_OPS_OUTSIDE_GUARD,
+            };
+
         let op_len = allocator.atom_len(o);
         if op_len == 4 {
             // these are unknown operators with assigned cost
@@ -148,6 +167,7 @@ impl Dialect for ChiaDialect {
             59 => op_bls_verify,
             60 => op_modpow,
             61 => op_mod,
+            62 if (flags & ENABLE_KECCAK_OPS_OUTSIDE_GUARD) != 0 => op_keccak256,
             _ => {
                 return unknown_operator(allocator, o, argument_list, flags, max_cost);
             }
@@ -169,10 +189,18 @@ impl Dialect for ChiaDialect {
     // return the Operators it enables (or None) if we don't know what it means
     fn softfork_extension(&self, ext: u32) -> OperatorSet {
         match ext {
-            // The BLS extensions (and coinid) operators were brought into the
-            // main operator set as part of the hard fork
-            0 => OperatorSet::BLS,
-            // new extensions go here
+            // Extension 0 is for the BLS operators, and is still valid.
+            // However, the extension doesn't add any addition opcodes,
+            // because the BLS operators were hardforked into the main set.
+            0 => OperatorSet::Bls,
+
+            // Extension 1 is for the keccak256 operator.
+            // This is only considered valid in the mempool if it's enabled with the flag.
+            // This is to prevent submission of spends with keccak until the softfork activates.
+            1 if (self.flags & ENABLE_KECCAK) != 0 => OperatorSet::Keccak,
+
+            // Extensions 2 and beyond are considered invalid by the mempool.
+            // However, all future extensions are valid in consensus mode and reserved for future softforks.
             _ => OperatorSet::Default,
         }
     }

src/dialect.rs

@@ -2,11 +2,20 @@ use crate::allocator::{Allocator, NodePtr};
 use crate::cost::Cost;
 use crate::reduction::Response;
 
+/// The set of operators that are available in the dialect.
 #[repr(u32)]
 #[derive(Clone, Copy, Eq, PartialEq)]
 pub enum OperatorSet {
+    /// Any softfork extensions that are not added yet will be rejected.
     Default,
-    BLS,
+
+    /// Originally added BLS operators when inside softfork extension 0.
+    /// The operators have since been hardforked into the main operator set.
+    Bls,
+
+    /// The keccak256 operator, which is only available inside the softfork guard.
+    /// This uses softfork extension 1, which does not conflict with the BLS fork.
+    Keccak,
 }
 
 pub trait Dialect {

src/keccak256_ops.rs

@@ -0,0 +1,32 @@
+use crate::allocator::{Allocator, NodePtr};
+use crate::cost::check_cost;
+use crate::cost::Cost;
+use crate::op_utils::atom;
+use crate::op_utils::new_atom_and_cost;
+use crate::reduction::Response;
+use sha3::{Digest, Keccak256};
+
+const KECCAK256_BASE_COST: Cost = 50;
+const KECCAK256_COST_PER_ARG: Cost = 160;
+const KECCAK256_COST_PER_BYTE: Cost = 2;
+
+pub fn op_keccak256(a: &mut Allocator, mut input: NodePtr, max_cost: Cost) -> Response {
+    let mut cost = KECCAK256_BASE_COST;
+
+    let mut byte_count: usize = 0;
+    let mut hasher = Keccak256::new();
+    while let Some((arg, rest)) = a.next(input) {
+        input = rest;
+        cost += KECCAK256_COST_PER_ARG;
+        check_cost(
+            a,
+            cost + byte_count as Cost * KECCAK256_COST_PER_BYTE,
+            max_cost,
+        )?;
+        let blob = atom(a, arg, "keccak256")?;
+        byte_count += blob.as_ref().len();
+        hasher.update(blob);
+    }
+    cost += byte_count as Cost * KECCAK256_COST_PER_BYTE;
+    new_atom_and_cost(a, cost, &hasher.finalize())
+}

src/lib.rs

@@ -6,6 +6,7 @@ pub mod cost;
 pub mod dialect;
 pub mod err_utils;
 pub mod f_table;
+pub mod keccak256_ops;
 pub mod more_ops;
 pub mod number;
 pub mod op_utils;