From 4b82dceb7bed143a0c7ac6098b2fd39ecc706707 Mon Sep 17 00:00:00 2001
From: pooler <pooler@litecoinpool.org>
Date: Thu, 29 Aug 2013 15:14:34 +0200
Subject: [PATCH] Litecoin: Add a simplified SSE2 version of scrypt

pooler: Ported from tarsnap upstream, fixed aliasing issue
cfields: break apart sse2/non-sse2 into separate objects
---
 src/makefile.unix   |  13 +++++
 src/scrypt-sse2.cpp | 138 ++++++++++++++++++++++++++++++++++++++++++++
 src/scrypt.cpp      |  30 +++-------
 src/scrypt.h        |  25 +++++++-
 4 files changed, 184 insertions(+), 22 deletions(-)
 create mode 100644 src/scrypt-sse2.cpp

diff --git a/src/makefile.unix b/src/makefile.unix
index 6b13b2661..7cb8173e9 100644
--- a/src/makefile.unix
+++ b/src/makefile.unix
@@ -144,6 +144,12 @@ OBJS= \
     obj/leveldb.o \
     obj/txdb.o
 
+OBJS_SSE2= obj/scrypt-sse2.o
+
+ifdef SSE2
+DEFS += -DUSE_SSE2
+OBJS += $(OBJS_SSE2)
+endif
 
 all: litecoind
 
@@ -169,6 +175,13 @@ obj/build.h: FORCE
 version.cpp: obj/build.h
 DEFS += -DHAVE_BUILD_INFO
 
+obj/%-sse2.o: %-sse2.cpp
+	$(CXX) -c $(xCXXFLAGS) -msse2 -MMD -MF $(@:%.o=%.d) -o $@ $<
+	@cp $(@:%.o=%.d) $(@:%.o=%.P); \
+	  sed -e 's/#.*//' -e 's/^[^:]*: *//' -e 's/ *\\$$//' \
+	      -e '/^$$/ d' -e 's/$$/ :/' < $(@:%.o=%.d) >> $(@:%.o=%.P); \
+	  rm -f $(@:%.o=%.d)
+
 obj/%.o: %.cpp
 	$(CXX) -c $(xCXXFLAGS) -MMD -MF $(@:%.o=%.d) -o $@ $<
 	@cp $(@:%.o=%.d) $(@:%.o=%.P); \
diff --git a/src/scrypt-sse2.cpp b/src/scrypt-sse2.cpp
new file mode 100644
index 000000000..30cd6dadd
--- /dev/null
+++ b/src/scrypt-sse2.cpp
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#ifdef __SSE2__
+#include "scrypt.h"
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <openssl/sha.h>
+
+#include <emmintrin.h>
+
+static inline void xor_salsa8_sse2(__m128i B[4], const __m128i Bx[4])
+{
+	__m128i X0, X1, X2, X3;
+	__m128i T;
+	int i;
+
+	X0 = B[0] = _mm_xor_si128(B[0], Bx[0]);
+	X1 = B[1] = _mm_xor_si128(B[1], Bx[1]);
+	X2 = B[2] = _mm_xor_si128(B[2], Bx[2]);
+	X3 = B[3] = _mm_xor_si128(B[3], Bx[3]);
+
+	for (i = 0; i < 8; i += 2) {
+		/* Operate on "columns". */
+		T = _mm_add_epi32(X0, X3);
+		X1 = _mm_xor_si128(X1, _mm_slli_epi32(T, 7));
+		X1 = _mm_xor_si128(X1, _mm_srli_epi32(T, 25));
+		T = _mm_add_epi32(X1, X0);
+		X2 = _mm_xor_si128(X2, _mm_slli_epi32(T, 9));
+		X2 = _mm_xor_si128(X2, _mm_srli_epi32(T, 23));
+		T = _mm_add_epi32(X2, X1);
+		X3 = _mm_xor_si128(X3, _mm_slli_epi32(T, 13));
+		X3 = _mm_xor_si128(X3, _mm_srli_epi32(T, 19));
+		T = _mm_add_epi32(X3, X2);
+		X0 = _mm_xor_si128(X0, _mm_slli_epi32(T, 18));
+		X0 = _mm_xor_si128(X0, _mm_srli_epi32(T, 14));
+
+		/* Rearrange data. */
+		X1 = _mm_shuffle_epi32(X1, 0x93);
+		X2 = _mm_shuffle_epi32(X2, 0x4E);
+		X3 = _mm_shuffle_epi32(X3, 0x39);
+
+		/* Operate on "rows". */
+		T = _mm_add_epi32(X0, X1);
+		X3 = _mm_xor_si128(X3, _mm_slli_epi32(T, 7));
+		X3 = _mm_xor_si128(X3, _mm_srli_epi32(T, 25));
+		T = _mm_add_epi32(X3, X0);
+		X2 = _mm_xor_si128(X2, _mm_slli_epi32(T, 9));
+		X2 = _mm_xor_si128(X2, _mm_srli_epi32(T, 23));
+		T = _mm_add_epi32(X2, X3);
+		X1 = _mm_xor_si128(X1, _mm_slli_epi32(T, 13));
+		X1 = _mm_xor_si128(X1, _mm_srli_epi32(T, 19));
+		T = _mm_add_epi32(X1, X2);
+		X0 = _mm_xor_si128(X0, _mm_slli_epi32(T, 18));
+		X0 = _mm_xor_si128(X0, _mm_srli_epi32(T, 14));
+
+		/* Rearrange data. */
+		X1 = _mm_shuffle_epi32(X1, 0x39);
+		X2 = _mm_shuffle_epi32(X2, 0x4E);
+		X3 = _mm_shuffle_epi32(X3, 0x93);
+	}
+
+	B[0] = _mm_add_epi32(B[0], X0);
+	B[1] = _mm_add_epi32(B[1], X1);
+	B[2] = _mm_add_epi32(B[2], X2);
+	B[3] = _mm_add_epi32(B[3], X3);
+}
+#endif
+void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad)
+{
+#ifdef __SSE2__
+	uint8_t B[128];
+	union {
+		__m128i i128[8];
+		uint32_t u32[32];
+	} X;
+	__m128i *V;
+	uint32_t i, j, k;
+
+	V = (__m128i *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, (const uint8_t *)input, 80, 1, B, 128);
+
+	for (k = 0; k < 2; k++) {
+		for (i = 0; i < 16; i++) {
+			X.u32[k * 16 + i] = le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]);
+		}
+	}
+
+	for (i = 0; i < 1024; i++) {
+		for (k = 0; k < 8; k++)
+			V[i * 8 + k] = X.i128[k];
+		xor_salsa8_sse2(&X.i128[0], &X.i128[4]);
+		xor_salsa8_sse2(&X.i128[4], &X.i128[0]);
+	}
+	for (i = 0; i < 1024; i++) {
+		j = 8 * (X.u32[16] & 1023);
+		for (k = 0; k < 8; k++)
+			X.i128[k] = _mm_xor_si128(X.i128[k], V[j + k]);
+		xor_salsa8_sse2(&X.i128[0], &X.i128[4]);
+		xor_salsa8_sse2(&X.i128[4], &X.i128[0]);
+	}
+
+	for (k = 0; k < 2; k++) {
+		for (i = 0; i < 16; i++) {
+			le32enc(&B[(k * 16 + (i * 5 % 16)) * 4], X.u32[k * 16 + i]);
+		}
+	}
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, B, 128, 1, (uint8_t *)output, 32);
+#endif
+}
diff --git a/src/scrypt.cpp b/src/scrypt.cpp
index da3d0e21b..6746b8ee0 100644
--- a/src/scrypt.cpp
+++ b/src/scrypt.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright 2009 Colin Percival, 2011 ArtForz
+ * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49,23 +49,6 @@ static inline void be32enc(void *pp, uint32_t x)
 	p[0] = (x >> 24) & 0xff;
 }
 
-static inline uint32_t le32dec(const void *pp)
-{
-	const uint8_t *p = (uint8_t const *)pp;
-	return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
-	    ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
-}
-
-static inline void le32enc(void *pp, uint32_t x)
-{
-	uint8_t *p = (uint8_t *)pp;
-	p[0] = x & 0xff;
-	p[1] = (x >> 8) & 0xff;
-	p[2] = (x >> 16) & 0xff;
-	p[3] = (x >> 24) & 0xff;
-}
-
-
 typedef struct HMAC_SHA256Context {
 	SHA256_CTX ictx;
 	SHA256_CTX octx;
@@ -139,7 +122,7 @@ HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
  * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
  * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
  */
-static void
+void
 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
     size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
 {
@@ -191,7 +174,6 @@ PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
 	memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
 }
 
-
 #define ROTL(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
 
 static inline void xor_salsa8(uint32_t B[16], const uint32_t Bx[16])
@@ -296,5 +278,11 @@ void scrypt_1024_1_1_256_sp(const char *input, char *output, char *scratchpad)
 void scrypt_1024_1_1_256(const char *input, char *output)
 {
 	char scratchpad[SCRYPT_SCRATCHPAD_SIZE];
-	scrypt_1024_1_1_256_sp(input, output, scratchpad);
+#ifdef USE_SSE2
+        // todo: runtime detection at startup and use function pointer
+        if(1)
+          scrypt_1024_1_1_256_sp_sse2(input, output, scratchpad);
+        else
+#endif
+          scrypt_1024_1_1_256_sp(input, output, scratchpad);
 }
diff --git a/src/scrypt.h b/src/scrypt.h
index da53b2e7c..1e6c5b48c 100644
--- a/src/scrypt.h
+++ b/src/scrypt.h
@@ -1,9 +1,32 @@
 #ifndef SCRYPT_H
 #define SCRYPT_H
-
+#include <stdlib.h>
+#include <stdint.h>
 static const int SCRYPT_SCRATCHPAD_SIZE = 131072 + 63;
 
+void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad);
 void scrypt_1024_1_1_256_sp(const char *input, char *output, char *scratchpad);
 void scrypt_1024_1_1_256(const char *input, char *output);
 
+void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
+    size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen);
+
+static inline uint32_t le32dec(const void *pp)
+{
+        const uint8_t *p = (uint8_t const *)pp;
+        return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
+            ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
+}
+
+static inline void le32enc(void *pp, uint32_t x)
+{
+        uint8_t *p = (uint8_t *)pp;
+        p[0] = x & 0xff;
+        p[1] = (x >> 8) & 0xff;
+        p[2] = (x >> 16) & 0xff;
+        p[3] = (x >> 24) & 0xff;
+}
+
+
 #endif