Summary of merkle grinding, covert asicboost.

1. Summary of merkle grinding, covert asicboost.
2.  
3. So the header format is https://en.bitcoin.it/wiki/Block_hashing_algorithm
4.  
5. version(4bytes) prevBlock (32bytes) merkleRoot (32bytes) time (4bytes)
6. bits (4bytes) nonce (4bytes) = 80 bytes.
7.  
8. sha256 works on 64 byte chunks so that will be processed in two chunks.
9.  
10. the 64-bit message length is appended to the data after 1 or more
11. 0bytes to pad to 64 bytes so what is actually hashed is:
12.  
13. there is an inner hash and an outer hash.  inner first, data hashed is
14.  
15. inner hased data =
16. version(4bytes) prevBlock (32bytes) merkleRoot (32bytes) time (4bytes)
17. bits (4bytes) nonce (4bytes) <40bytes of 0> loCount (4byte value 80)
18. hiCount (4bytes)
19.  
20. hiCount is always 0.
21.  
22. IV is magic constants.
23.  
24. stateA = transform call A( IV, version || prevBlock[0-31] || merkleRoot[0-27] )
25.  
26. inner digest = transform call B( stateA, merkleRoot[28-31] || time ||
27. nonce || <40bytes of0> || loCount || <4bytes 0> )
28.  
29. outer hashed data = <inner digest> || <28bytes 0> || loCount (4 byte
30. value 32) || <4bytes 0>
31.  
32. outer = transform call C( IV, <inner digest> || <28bytes 0> || loCount
33. (4 byte value 32) || <4bytes 0> )
34.  
35. if target outer bits == 0 found proof of work.
36.  
37.  
38. stateA is precomputed and transform call 1 only done when extraNonce
39. changes, which changes merkleRoot.
40.  
41. so the most work is repeating call B by changing nonce (and maybe some
42. low order bits of time) and then calling transform call C.
43.  
44.  
45. now transform itself is in two parts.
46.  
47. W array = transform_part1( data )
48. state = transform_part2( state, W )
49.  
50. part1 does 13 operations of various things rightrotate, rightshift,
51. xor, 32bit unsigned add 48 times.  importantly transform_part1 does
52. not depend on state and so doesnt depend on the first block.
53.  
54. part2 does 23 operations of various rightrotate, xor, and, 32-bit
55. unsigned add 64 times.  it costs more than part1.
56.  
57. now if we precompute multiple merkleRoots that have the same last
58. 4bytes, then transform_part1 in transform call 2 can be reused like
59. this:
60.  
61. expensive precompute eg FPGA
62. (mrA,mrB,mrC,mrD) = precompute_merkle_collision()
63. such that mrA[28..31]==mrB[28..31]==mrC[28..31]==mrD[28..31]
64.  
65. cheap precompute
66.  
67. stateA1= transform call A( IV, prevBlock, mrA[0-27] )
68. stateB1= transform call A( IV, prevBlock, mrB[0-27] )
69. stateC1= transform call A( IV, prevBlock, mrC[0-27] )
70. stateD1= transform call A( IV, prevBlock, mrD[0-27] )
71.  
72. then repeat in loop changing 4 byte nonce, and some low bits of time maybe.
73.  
74. inner W = transform_part1( mrA[28-31] ||  || time || nonce || <40bytes
75. of0> || loCount || <4bytes 0> )
76.  
77. inner digest A1=transform_part2( stateA1, inner W )
78. inner digest B1=transform_part2( stateB1, inner W )
79. inner digest C1=transform_part2( stateC1, inner W )
80. inner digest D1=transform_part2( stateD1, inner W )
81.  
82. outerA = transform call C( IV, <inner digest A1> || <28bytes 0> ||
83. loCount (4 byte value 32) || <4bytes 0> )
84. outerB = transform call C( IV, <inner digest B1> || <28bytes 0> ||
85. loCount (4 byte value 32) || <4bytes 0> )
86. outerC = transform call C( IV, <inner digest C1> || <28bytes 0> ||
87. loCount (4 byte value 32) || <4bytes 0> )
88. outerD = transform call C( IV, <inner digest D1> || <28bytes 0> ||
89. loCount (4 byte value 32) || <4bytes 0> )