multi: Add initial committed filter (CF) support

[jrick]

This change begins the work of bringing committed filters to the
network consensus daemon. Committed filters are designed to enable
light wallets without many of the privacy issues associated with
server-side bloom filtering.

The new gcs package provides the primitives for creating and matching
against Golomb-coded sets (GCS) filters while the blockcf package
provides creation of filters and filter entries for data structures
found in blocks.

The wire package has been updated to define a new protocol version and
service flag for advertising CF support and includes types for the
following new messages: cfheaders, cfilter, cftypes, getcfheaders,
getcfilter, getcftypes. The peer package and server implementation
have been updated to include support for the new protocol version and
messages.

Filters are created using a collision probability of 2^-20 and are
saved to a new optional database index when running with committed
filter support enabled (the default). At first startup, if support is
not disabled, the index will be created and populated with filters and
filter headers for all preexisting blocks, and new filters will be
recorded for processed blocks.

Multiple filter types are supported. The regular filter commits to
output scripts and previous outpoints that any non-voting wallet will
require access to. Scripts and previous outpoints that can only be
spent by votes and revocations are not committed to the filter. The
extended filter is a supplementary filter which commits to all
transaction hashes and script data pushes from the input scripts of
non-coinbase regular and ticket purchase transactions. Creating these
filters is based on the algorithm defined by BIP0158 but is modified
to only commit "regular" data in stake transactions to prevent
committed filters from being used to create SPV voting wallets.

[davecgh]

This is just a very quick first pass. In addition to the inline comments, the ProtocolVersion in wire/protocol.go needs to be bumped to 6 and a new variable CFilterVersion uint32 = 6 since the wire protocol is being changed.

[davecgh]

Yes, let's address this TODO and remove this please. I really would prefer to avoid yet another dependency for something this trivial.

[davecgh]

2018

[davecgh]

2018

[davecgh]

Please make the arguments match the normal style.

[davecgh]

Func definitions on one line.

[davecgh]

Not sure why the previous one has an exclamation point. None of the others do. Please remove it and the other one above too.

[jrick]

It's because this is an index enabled by default. The previous check for the addrexistsindex also uses the !, because keeping the index enabled while also dropping the index doesn't make sense.

[jrick]

There currently exists a bug where the CF index cannot be dropped. The index dropping code assumes there are no nested buckets in the index and uses a cursor to iterate over the bucket to delete all entries (which itself is a hack to reduce memory usage vs deleting the index bucket itself).

[jrick]

Plan is to merge this after #1158 is in, which will solve the problem of being unable to drop the CF index.

[davecgh]

All of these BtcDecode and BtcEncode functions for the new messages should be checking the protocol version and returning an error if it's before the minimum supported one.

e.g.

if pver < NodeCFVersion {
	str := fmt.Sprintf("getcftypes message invalid for protocol "+
		"version %d", pver)
	return messageError("MsgCFHeaders.BtcDecode", str)
}

...

Then, in the tests for all of these new messages, there should be a cross protocol test function (e.g. TestCFHeadersCrossProtocol for this case) which ensures attempting to decode a message encoded with the new protocol version fails as expected when attempting to decode it with an older protocol version.

See msgfilteradd.go and msgfilteradd_test.go in the upstream btcd code for examples.

[jrick]

There appears to be variation in the meaning of the cross protocol tests. In dcrd's TestSendHeadersCrossProtocol test, the two protocols used both support the message being tested and serialization/deserialization is tested to not error on either. This same test is also present in btcd.

[davecgh]

Func definitions on the same line, please.

[davecgh]

This should be cast to (*uint8)(&msg.FilterType) to avoid invoking the slow reflection path in readElement. Either that, or readElement could have *FilterType added as one of the cases. I personally would just do the cast here though as it's less code.

[davecgh]

This should either be return binarySerializer.PutUint8(w, msg.FilterType) or writeElement would need to have a FilterType case added to avoid the slow reflection-based path. I would suggest just using binarySerializer directly since that matches what is done elsewhere in msgtx.go.

[davecgh]

Don't forget to add the 2018 Decred copyright when making the modifications.

[davecgh]

The error return seems unnecessary since nothing returns one.

[davecgh]

Same here regarding performing the checkout outside of the db transaction.

[davecgh]

Any reason this is in a separate package and not just the gcs package? It results in a generic and nondescriptive name as it is in a separate package.

It would be much clearer for the code to read like gcs.BuildExtFilter(...) instead of builder.BuildExtFilter.

[jrick]

I agree with unifying the packages. The builder package came from @Roasbeef's original implementation. Unsure if there was a technical reason for the separation.

[jrick]

There are many other functions exposed by the builder package that would need to be renamed if this change was made. For example, WithKeyPN and the rest of the With... functions. Currently these are called as builder.With... to return a *builder.GCSBuilder, but these function names wouldn't make much sense if they were qualified with the gcs name.

[jrick]

After looking into this some more, it appears that the gcs package is intended to be a general implementation of golomb coded sets while builder is specific to building filters from decred blocks. We can and probably also should remove the extra unused builder methods (everything but BuildBasicFilter and BuildExtFilter).

[davecgh]

s/decred/wire/

[davecgh]

s/decred/wire/

[davecgh]

s/decred/wire/

[davecgh]

This package is using named returns in various places. Please remove them all.

[davecgh]

extra blank line

[davecgh]

Based on the intent described by the comment of the function, this appears to be missing the signature scripts for all of the stake transactions.

In the case of votes and revocations, it's the output of the ticket that is being spent (.TxIn[1] for votes, and .TxIn[0] for revocations), and in the case of tickets, it is all inputs.

[jrick]

The function comment says it includes the witness/sigscripts of regular transactions. No where does it say it commits to the input scripts of stake transactions.

I'm not sure if it would be worthwhile modifying the extended filter to include this data, or if a 3rd filter type should be added specifically for extra commitments for stake transactions.

[davecgh]

As mentioned elsewhere, this needs to be a cast to avoid the slow path (or change readElement).

[davecgh]

Same here regarding use binarySerializer.PutUint8.

[davecgh]

Same here.

[davecgh]

And here.

[davecgh]

All the other decode funcs have blank lines between each field, but this one doesn't.

[davecgh]

The maximum allowed number of filter types is 256 due to it being a uint8. This needs to ensure the value read does not exceed it. Otherwise, it would be trivial to send a message with a massive count and panic the process remotely.

[davecgh]

Same as above regarding the cast or addition of *FilterType to readElement.

Also, to cut down on the number of allocations, please read it directly into the array element.

[davecgh]

Same regarding binarySerializer.PutUint8.

[davecgh]

Cast...

[davecgh]

binarySerializer.PutUint8...

[jrick]

The regular filter has been changed to commit to output scripts themselves instead of all data pushes within the script. This significantly reduces filter bloat at the cost of needing to know the exact script used (instead of, say, a hash160).

This introduces a new problem that is specific to Decred. Output scripts of stake transactions include an opcode tag in the scripts to distinguish between a ticket purchase, ticket purchase change, vote coin generation, and revocation coin generation. This now means that SPV wallets that search the filter for address usage must now check 4 (!) possible output scripts instead of 1: P2PKH, OP_SSTXCHANGE P2PKH, OP_SSGEN P2PKH, and OP_SSRTX P2PKH. Obviously this is not ideal, and I'm considering stripping the tag before committing these scripts.

[davecgh]

s/returns checks/checks/

[davecgh]

We should change this to be a single hash. There is no reason to double hash in BLAKE256 since the hash function isn't vulnerable to length extension attacks which is why double sha256 is used in the upstream code.

[davecgh]

Same here. No need to double hash.

[jrick]

Stake opcode tags are now being stripped before committing the output script.