Use precomputed signature tag

Author: roconnor-blockstream

C/jets-secp256k1.c

@@ -1,9 +1,9 @@
 #include "jets.h"
 
+#include "precomputed.h"
 #include "prefix.h"
 #include "sha256.h"
 #include "secp256k1/secp256k1_impl.h"
-#include "tag.h"
 
 /* Read a secp256k1 field element value from the 'src' frame, advancing the cursor 256 cells.
  *
@@ -613,7 +613,7 @@ bool check_sig_verify(frameItem* dst, frameItem src, const txEnv* env) {
 
   {
     sha256_midstate output;
-    sha256_context ctx = MK_TAG(output.s, SIMPLICITY_PREFIX "\x1F" "Signature");
+    sha256_context ctx = sha256_tagged_init(output.s, &signatureIV);
     read8s(msg, 64, &src);
     sha256_uchars(&ctx, msg, 64);
     sha256_finalize(&ctx);

C/precomputed.h

@@ -4,6 +4,10 @@
 
 #include "sha256.h"
 
+/* Initial values for Simplicity's standard tagged message digest. */
+static const sha256_midstate signatureIV =
+  {{0x9470c4e3u, 0xe445a32fu, 0x7e5273b8u, 0x33ead715u, 0xd509cbc5u, 0x1fd3feb9u, 0xacdac827u, 0xf31f4123u}};
+
 /* Initial values for all the 'typeName's. */
 static const sha256_midstate unitIV =
   {{0x12b4c4a9u, 0xa4b0edf6u, 0x5a44f30eu, 0xa762578fu, 0xdd59f105u, 0xf0e4d8f3u, 0x88cb9b6bu, 0xd2c13adfu}};

C/sha256.h

@@ -196,6 +196,18 @@ static inline sha256_context sha256_init(uint32_t* output) {
   return (sha256_context){ .output = output };
 }
 
+/* Initialize a sha256_context given a buffer in which the final output will be written to,
+ * and the midstate of a tagged hash.
+ *
+ * Note that the 'output' buffer may be updated during the computation to hold a SHA-256 midstate.
+ * Precondition: unit32_t output[8]
+ *               unit32_t iv[8]
+ */
+static inline sha256_context sha256_tagged_init(uint32_t* output, const sha256_midstate* iv) {
+  memcpy(output, iv->s, sizeof(uint32_t[8]));
+  return (sha256_context){ .output = output, .counter = 64 };
+}
+
 /* Add an array of bytes to be consumed by an ongoing SHA-256 evaluation.
  * Returns false if the counter overflows.
  *

Haskell-Generate/GenPrecomputed.hs

@@ -50,6 +50,12 @@ prettyCHash h = bracket (format <$> chunksOf 8 str_h)
 declIV :: String -> IV -> Doc a
 declIV name iv = nest 2 $ (pretty $ "static const sha256_midstate "++name++"IV =") <-> (bracket . single . prettyCHash $ ivHash iv) <> semi
 
+declareSignatureIV :: Doc a
+declareSignatureIV = vsep
+                   [ "/* Initial values for Simplicity's standard tagged message digest. */"
+                   , declIV "signature" signatureTag
+                   ]
+
 declareTyIVs :: Doc a
 declareTyIVs = vsep $ "/* Initial values for all the 'typeName's. */":(declTy <$> ["unit", "sum", "prod"])
  where
@@ -110,6 +116,7 @@ footer = vsep $
 precomputed_h :: SimpleDocStream a
 precomputed_h = layoutPretty layoutOptions $ vsep (map (<> line)
   [ header
+  , declareSignatureIV
   , declareTyIVs
   , declareMRIVs
   , declareWord1CMR

Simplicity.Haskell.nix

@@ -6,7 +6,7 @@ mkDerivation (rec {
       (lib.sourceByRegex ./. ["^LICENSE$" "^Simplicity\.cabal$" "^Setup.hs$" "^Tests.hs$" "^Haskell$" "^Haskell/.*"
                               "^Haskell-Generate$" "^Haskell-Generate/.*"
                               "^C$" "^C/uword.h" "^C/bitstring.h" "^C/frame.*" "^C/jets.*" "^C/sha256.*" "^C/unreachable.h"
-                              "^C/ascii.h" "^C/prefix.h" "^C/tag.h"
+                              "^C/precomputed.h" "^C/prefix.h"
                               "^C/jets-secp256k1.c$" "^C/secp256k1$" "^C/secp256k1/.*"
                               "^C/include$" "^C/include/simplicity$" "^C/include/simplicity/elements$" "^C/include/simplicity/elements/env.h"
                               "^C/primitive$" "^C/primitive/elements$" "^C/primitive/elements/jets.*" "^C/primitive/elements/ops.*" "^C/primitive/elements/primitive.*" "^C/primitive/elements/env.c"])