// Copyright (c) 2014-2019, The Monero Project // Copyright (c) 2018, The Loki Project // // All rights reserved. // // Redistribution and use in source and binary forms, with or without modification, are // permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this list of // conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, this list // of conditions and the following disclaimer in the documentation and/or other // materials provided with the distribution. // // 3. Neither the name of the copyright holder nor the names of its contributors may be // used to endorse or promote products derived from this software without specific // prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // // Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers #include #include "common/oxen.h" #include "epee/int-util.h" #include "crypto/hash.h" #include "difficulty.h" #include "hardfork.h" #undef OXEN_DEFAULT_LOG_CATEGORY #define OXEN_DEFAULT_LOG_CATEGORY "difficulty" namespace cryptonote { using std::size_t; using std::uint64_t; using std::vector; #if defined(__x86_64__) static inline void mul(uint64_t a, uint64_t b, uint64_t &low, uint64_t &high) { low = mul128(a, b, &high); } #else static inline void mul(uint64_t a, uint64_t b, uint64_t &low, uint64_t &high) { // __int128 isn't part of the standard, so the previous function wasn't portable. mul128() in Windows is fine, // but this portable function should be used elsewhere. Credit for this function goes to latexi95. uint64_t aLow = a & 0xFFFFFFFF; uint64_t aHigh = a >> 32; uint64_t bLow = b & 0xFFFFFFFF; uint64_t bHigh = b >> 32; uint64_t res = aLow * bLow; uint64_t lowRes1 = res & 0xFFFFFFFF; uint64_t carry = res >> 32; res = aHigh * bLow + carry; uint64_t highResHigh1 = res >> 32; uint64_t highResLow1 = res & 0xFFFFFFFF; res = aLow * bHigh; uint64_t lowRes2 = res & 0xFFFFFFFF; carry = res >> 32; res = aHigh * bHigh + carry; uint64_t highResHigh2 = res >> 32; uint64_t highResLow2 = res & 0xFFFFFFFF; //Addition uint64_t r = highResLow1 + lowRes2; carry = r >> 32; low = (r << 32) | lowRes1; r = highResHigh1 + highResLow2 + carry; uint64_t d3 = r & 0xFFFFFFFF; carry = r >> 32; r = highResHigh2 + carry; high = d3 | (r << 32); } #endif static inline bool cadd(uint64_t a, uint64_t b) { return a + b < a; } static inline bool cadc(uint64_t a, uint64_t b, bool c) { return a + b < a || (c && a + b == (uint64_t) -1); } bool check_hash(const crypto::hash &hash, difficulty_type difficulty) { uint64_t low, high, top, cur; // First check the highest word, this will most likely fail for a random hash. mul(swap64le(((const uint64_t *) &hash)[3]), difficulty, top, high); if (high != 0) { return false; } mul(swap64le(((const uint64_t *) &hash)[0]), difficulty, low, cur); mul(swap64le(((const uint64_t *) &hash)[1]), difficulty, low, high); bool carry = cadd(cur, low); cur = high; mul(swap64le(((const uint64_t *) &hash)[2]), difficulty, low, high); carry = cadc(cur, low, carry); carry = cadc(high, top, carry); return !carry; } void add_timestamp_and_difficulty(cryptonote::network_type nettype, uint64_t chain_height, std::vector ×tamps, std::vector &difficulties, uint64_t timestamp, uint64_t cumulative_difficulty) { timestamps.push_back(timestamp); difficulties.push_back(cumulative_difficulty); static const uint64_t hf16_height = HardFork::get_hardcoded_hard_fork_height(nettype, cryptonote::network_version_16_pulse); bool const before_hf16 = chain_height < hf16_height; // Trim down arrays while (timestamps.size() > DIFFICULTY_BLOCKS_COUNT(before_hf16)) timestamps.erase(timestamps.begin()); while (difficulties.size() > DIFFICULTY_BLOCKS_COUNT(before_hf16)) difficulties.erase(difficulties.begin()); } //--------------------------------------------------------------- // LWMA difficulty algorithm // Background: https://github.com/zawy12/difficulty-algorithms/issues/3 // Copyright (c) 2017-2018 Zawy (pseudocode) // MIT license http://www.opensource.org/licenses/mit-license.php // Copyright (c) 2018 Wownero Inc., a Monero Enterprise Alliance partner company // Copyright (c) 2018 The Karbowanec developers (initial code) // Copyright (c) 2018 Haven Protocol (refinements) // Degnr8, Karbowanec, Masari, Bitcoin Gold, Bitcoin Candy, and Haven have contributed. // This algorithm is: next_difficulty = harmonic_mean(Difficulties) * T / LWMA(Solvetimes) // The harmonic_mean(Difficulties) = 1/average(Targets) so it is also: // next_target = avg(Targets) * LWMA(Solvetimes) / T. // This is "the best algorithm" because it has lowest root-mean-square error between // needed & actual difficulty during hash attacks while having the lowest standard // deviation during stable hashrate. That is, it's the fastest for a given stability and vice versa. // Do not use "if solvetime < 1 then solvetime = 1" which allows a catastrophic exploit. // Do not sort timestamps. "Solvetimes" and "LWMA" variables must allow negatives. // Do not use MTP as most recent block. Do not use (POW)Limits, filtering, or tempering. // Do not forget to set N (aka DIFFICULTY_WINDOW in Cryptonote) to recommendation below. // The nodes' future time limit (FTL) aka CRYPTONOTE_BLOCK_FUTURE_TIME_LIMIT needs to // be reduced from 60*60*2 to 500 seconds to prevent timestamp manipulation from miner's with // > 50% hash power. If this is too small, it can be increased to 1000 at a cost in protection. difficulty_calc_mode difficulty_mode(cryptonote::network_type nettype, uint8_t hf_version, uint64_t height) { static const uint64_t hf12_height = cryptonote::HardFork::get_hardcoded_hard_fork_height(nettype, cryptonote::network_version_12_checkpointing); static const uint64_t hf16_height = cryptonote::HardFork::get_hardcoded_hard_fork_height(nettype, cryptonote::network_version_16_pulse); auto result = difficulty_calc_mode::normal; if (hf_version <= cryptonote::network_version_9_service_nodes) { result = difficulty_calc_mode::use_old_lwma; } // HF12 switches to RandomX with a likely drastically reduced hashrate versus Turtle, so override // difficulty for the first difficulty window blocks: else if (height >= hf12_height && height < hf12_height + (DIFFICULTY_WINDOW + 1)) { result = difficulty_calc_mode::hf12_override; } else if (nettype == MAINNET && height >= hf16_height && height < hf16_height + (DIFFICULTY_WINDOW + 1)) { result = difficulty_calc_mode::hf16_override; } return result; } difficulty_type next_difficulty_v2(std::vector timestamps, std::vector cumulative_difficulties, size_t target_seconds, difficulty_calc_mode mode) { const int64_t T = static_cast(target_seconds); size_t N = DIFFICULTY_WINDOW; // Return a difficulty of 1 for first 4 blocks if it's the start of the chain. if (timestamps.size() < 4) { return 1; } // Otherwise, use a smaller N if the start of the chain is less than N+1. else if ( timestamps.size()-1 < N ) { N = timestamps.size() - 1; } else { // Otherwise make sure timestamps and cumulative_difficulties are correct size. timestamps.resize(N+1); cumulative_difficulties.resize(N+1); } // To get an average solvetime to within +/- ~0.1%, use an adjustment factor. // adjust=0.999 for 80 < N < 120(?) const double adjust = 0.998; // The divisor k normalizes the LWMA sum to a standard LWMA. const double k = N * (N + 1) / 2; double LWMA(0), sum_inverse_D(0), harmonic_mean_D(0), nextDifficulty(0); int64_t solveTime(0); uint64_t difficulty(0), next_difficulty(0); // Loop through N most recent blocks. N is most recently solved block. for (int64_t i = 1; i <= (int64_t)N; i++) { solveTime = static_cast(timestamps[i]) - static_cast(timestamps[i - 1]); if (mode == difficulty_calc_mode::use_old_lwma) solveTime = std::max(solveTime, (-7 * T)); solveTime = std::min(solveTime, (T * 7)); difficulty = cumulative_difficulties[i] - cumulative_difficulties[i - 1]; LWMA += (solveTime * i) / k; sum_inverse_D += 1 / static_cast(difficulty); } harmonic_mean_D = N / sum_inverse_D; // Keep LWMA sane in case something unforeseen occurs. if (static_cast(oxen::round(LWMA)) < T / 20) LWMA = static_cast(T / 20); nextDifficulty = harmonic_mean_D * T / LWMA * adjust; // No limits should be employed, but this is correct way to employ a 20% symmetrical limit: // nextDifficulty=max(previous_Difficulty*0.8,min(previous_Difficulty/0.8, next_Difficulty)); next_difficulty = static_cast(nextDifficulty); if (next_difficulty == 0) next_difficulty = 1; // Rough estimate based on comparable coins, pre-merge-mining hashrate, and hashrate changes is // that 30MH/s seems more or less right, so we cap it there for the first WINDOW blocks to // prevent too-long blocks right after the fork. if (mode == difficulty_calc_mode::hf12_override) return std::min(next_difficulty, 30'000'000 * uint64_t(target_seconds)); else if (mode == difficulty_calc_mode::hf16_override) return std::min(next_difficulty, PULSE_FIXED_DIFFICULTY); return next_difficulty; } }