use 256 bit target for proof of work

* SHA256 produces 256 bits pseudo-randomly uniformly, so you may
compare to a 256 bit target to get a proof of work
* If you pretend that the hash and targets are both integers between 0
and 2^256 - 1, then the target partitions the range into passing and
failing segments.
* In order to match the use of the `get_uint16` function from
`ocplib-endian`, the easiest way to encode `target` is as a `int list`
which works if not ideal
* This seems like the same thing bitcoin does; difficulty there is
actually not a primary notion but is calculated from a 256 bit target,
which is what gets adjusted over time

src/utils/crypto_box.ml

@@ -15,7 +15,11 @@ type secret_key = Sodium.Box.secret_key
 type public_key = Sodium.Box.public_key
 type channel_key = Sodium.Box.channel_key
 type nonce = Sodium.Box.nonce
-type difficulty = int64
+(* target ought to be an unsigned 256 bit integer
+but this representation works better with ocplib-endian; make
+sure target has length 16! *)
+type target = int list
+exception TargetNot256Bit
 
 let random_keypair = Sodium.Box.random_keypair
 let random_nonce = Sodium.Box.random_nonce
@@ -25,22 +29,32 @@ let box_open sk pk msg nonce =
   try Some (Sodium.Box.Bigbytes.box_open sk pk msg nonce) with
     | Sodium.Verification_failure -> None
 
-let check_proof_of_work pk nonce difficulty =
+let validate_target target =
-  let hash_bytes l =
+  if List.length target <> 16 then raise TargetNot256Bit;
-    let hash = Cryptokit.Hash.sha256 () in
+  if List.for_all (fun t -> t < 0 || t >= 1 lsl 16) target
-    List.iter (fun b -> hash#add_string (MBytes.to_string b)) l;
+    then raise TargetNot256Bit
-    let r = hash#result in hash#wipe; r in
+
+(* compare a SHA256 hash to a 256 bit target *)
+let compare_target xs target =
   let hash =
-    hash_bytes
+    let hash = Cryptokit.Hash.sha256 () in
-      [ Sodium.Box.Bigbytes.of_public_key pk ;
+    List.iter (fun b -> hash#add_string (MBytes.to_string b)) xs;
-        Sodium.Box.Bigbytes.of_nonce nonce ] in
+    let r = hash#result in hash#wipe; r in
   let bytes = MBytes.of_string hash in
-  let last_int64 =
+  let get_16 = EndianBigstring.BigEndian.get_uint16 bytes in
-    EndianBigstring.BigEndian.get_int64 bytes (MBytes.length bytes - 8) in
+  let offsets = [0;2;4;6;8;10;12;14;16;18;20;22;24;26;28;30] in
-  Int64.logand last_int64 (Int64.of_int 1) < difficulty
+  List.for_all2 (fun o t -> get_16 o < t) offsets target
-let generate_proof_of_work pk difficulty =
+
+let check_proof_of_work pk nonce target =
+  let what_to_hash =
+    [ Sodium.Box.Bigbytes.of_public_key pk
+    ; Sodium.Box.Bigbytes.of_nonce nonce ] in
+  compare_target what_to_hash target
+
+let generate_proof_of_work pk target =
+  validate_target target;
   let rec loop nonce =
-    if check_proof_of_work pk nonce difficulty then nonce
+    if check_proof_of_work pk nonce target then nonce
     else loop (increment_nonce nonce) in
   loop (random_nonce ())
 

src/utils/crypto_box.mli

@@ -10,13 +10,15 @@
 (** Tezos - X25519/XSalsa20-Poly1305 cryptography *)
 
 type nonce
-type difficulty
 
 val random_nonce : unit -> nonce
 val increment_nonce : ?step:int -> nonce -> nonce
-
 val nonce_encoding : nonce Data_encoding.t
 
+type target
+val compare_target : MBytes.t list -> target -> bool
+val validate_target : target -> unit
+
 type secret_key
 type public_key
 
@@ -29,5 +31,5 @@ val box : secret_key -> public_key -> MBytes.t -> nonce -> MBytes.t
 
 val box_open : secret_key -> public_key -> MBytes.t -> nonce -> MBytes.t option
 
-val check_proof_of_work : public_key -> nonce -> difficulty -> bool
+val check_proof_of_work : public_key -> nonce -> target -> bool
-val generate_proof_of_work : public_key -> difficulty -> nonce
+val generate_proof_of_work : public_key -> target -> nonce