Refactoring CHashWriter & Get{Prevouts,Sequence,Outputs}Hash to SHA256 #18071

These are a couple common refactoring changes in both Taproot and CTV that I think can be merged as is. Other than that the two PRs should largely be conflict free (except for caching, which is a relatively trivial fix).

These essentially just allow us to get access to the single SHA256 version of Get{Prevouts,Sequence,Outputs} hash which are used both in the Taproot and CTV spec. They use the single hash versions because they are cheaper to compute, which reduces validation overhead. These refactors are non-functional, and just expose the ability to get the single hash when needed.

The names of Get*Hash are renamed to Get*SHA256 to avoid confusion with the value returned previously.

<!--e57a25ab6845829454e8d69fc972939a-->

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

<!--174a7506f384e20aa4161008e828411d-->

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #19601 (Refactoring CHashWriter & Get{Prevouts,Sequence,Outputs}Hash to SHA256 (Alternative to #18071) by JeremyRubin)
• #17977 (Implement BIP 340-342 validation (Schnorr/taproot/tapscript) by sipa)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

utACK

Concept ACK on getting this refactor in separate from #17977 (Taproot) and #19055 (MuHash). Will review later.

09b832b could mention in the description that several proposals require us to "get access to the single SHA256".

Should we rename GetHash() to GetDoubleSha256()?

There are some changes in #17977 to these commits, which should be added here if we merge this separately.

@Sjors requested changes made where applicable. @jnewbery could you be more specific? I scanned over the diffs and am not sure what you're referring to.

could you be more specific?

One example is here: https://github.com/bitcoin/bitcoin/pull/17977/files#diff-46ec93803811240fe7b2b9e83eac7ba2R94

Here's another: https://github.com/bitcoin/bitcoin/pull/17977/files#diff-05b3817be9a0d72b5ad9fa1cff567facR218

Ah those changes are intentional for SHA256Uint256, since we use a r-value version at a callsite I figure it's better to have an explicit version that does that.

In this version, I make the r-value version return a hash (forcing lifetime consumption of it's parameter) and make the reference version overwrite it's parameter and return void. It should be harder to misuse this API as the types are more clear in the places we use it.

In any case, if there is consensus preferring the approach currently in #17977, we'd want to minimally see changes to the Taproot version to both:

1. change the parameter names for consistency.
2. make the SHA256Uint256 take a const uint256& instead of a uint256&.

I think those are all the differences, aside from the precomputed caches (which would be inappropriate to modify in this PR)? If there are other changes, please let me know.

Code review ACK b0ac6eb86f98258d14800a8f913f977902aed856

Micro-nit: the last commit has a typo in the commit message: Prvouts.

It's still unresolved if the CheapHash function can use GetHash (instead of GetSHA256) without breaking Addrman's bucketing. See #19055 (review)

If the intention here is to have function signatures that are different from #17977, then I'm NACKish on this, since it would create additional rebase work for the author and reviewers of that PR.

It's still unresolved if the CheapHash function can use GetHash (instead of GetSHA256) without breaking Addrman's bucketing. See #19055 (comment)

I think that consideration can be left for a follow-up. It is a further behavior change that makes sense to review separately to make sure nothing breaks. And this change here is valuable enough without it for #17977 etc. So after it is merged the other PRs can be rebased and the CheapHash discussion can go on without blocking anything.

I agree with @fjahr, it's best if this PR can make no functional changes. Am happy to make a follow-up PR that can be reviewed independently switching cheaphash to a single sha256 (or as sipa points out, even siphash). @Sjors is that OK? @jnewbery this PR has been open for half a year, and is a part of my review of the Taproot code. The below should be about the only diff required as a result of interface changes, which mostly have to be patched into 41d08f5d77f52bec0e31bb081d85fff2d67d0467. This code is more clear because m_*_hash is not touched once it has been set.

Regardless of this PR, the function signatures should be changed to a const ref. It's not clear to me that it's defined behavior to pass an r-value as a non-const ref, which is done in the taproot code currently (hence the interface changes here -- clearly no UB). If there is consensus that the interfaces should not change, preferring the approach in #17977, I can refactor this PR to be similar.

edit: I guess it's not using UB... I could have sworn somewhere that the input to SHA256Uint256 was a non const...

diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 9ec960d17..003c873d9 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -1408,12 +1408,12 @@ void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut> spent_o
 
     // Cache is calculated only for transactions with witness
     if (txTo.HasWitness()) {
-        m_prevouts_hash = GetPrevoutHash(txTo);
-        hashPrevouts = SHA256Uint256(m_prevouts_hash);
-        m_sequences_hash = GetSequenceHash(txTo);
-        hashSequence = SHA256Uint256(m_sequences_hash);
-        m_outputs_hash = GetOutputsHash(txTo);
-        hashOutputs = SHA256Uint256(m_outputs_hash);
+        hashPrevouts = m_prevouts_hash = GetPrevoutsSHA256(txTo);
+        SHA256Uint256(hashPrevouts);
+        hashSequence = m_sequences_hash = GetSequencesSHA256(txTo);
+        SHA256Uint256(hashSequence);
+        hashOutputs = m_outputs_hash = GetOutputsSHA256(txTo);
+        SHA256Uint256(hashOutputs);

I have a mild preference for this PR. Both seem correct.

code review ACK https://github.com/bitcoin/bitcoin/pull/18071/commits/b0ac6eb86f98258d14800a8f913f977902aed856

Nano nits can be ignored.

utACK

I agree with @fjahr, it's best if this PR can make no functional changes. Am happy to make a follow-up PR that can be reviewed independently switching cheaphash to a single sha256 (or as sipa points out, even siphash). @Sjors is that OK?

That makes no sense; cheaphash uses a single sha256. This PR changes it to a double hash, so it's a functional change. Unless I'm reading it wrong.

@Sjors yes you are reading it wrong. The type of ctx changes from double hashed writer to a single hashed writer.

I've rebased #18071 following the hash.h span changes (but not #19601 -- I can rebase that one if there is a preference for that approach).

pre-rebase summary: @jnewbery nack-ish (#17977 conflicts may prefer #19601 approach?) @instagibbs code review ACK (slightly prefers #18071 over #19601) @fjahr code review ACK (micro nit fixed) @luke-jr utack @prestwich utack @Sjors concept-ack

Please check the rebase diff at your convenience! @sipa it would be good if you could weigh in on if this is acceptable or if #19601 is better.

I think since merge of the span.h changes causes #17977 to need to rebase, it might be a decent time to rebase onto this branch without too much extra work.

Ah, I missed the switch from CHash256 (double) to CSHA256 (single). I wrote a test, which this PR indeed doesn't break:

BOOST_AUTO_TEST_CASE(getcheaphash)
{
    CHashWriter ss(SER_DISK, CLIENT_VERSION);
    ss << 1;
    BOOST_CHECK_EQUAL(ss.GetCheapHash(), 0x8D07CCE5F258F741ULL);    
}

Since #19601 seems to be preferred by @sipa, @practicalswift, and @jnewbery, going to close #18071.