Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BLS12 precompiles adjustments #2999

Merged
merged 9 commits into from
Oct 2, 2020
Merged

BLS12 precompiles adjustments #2999

merged 9 commits into from
Oct 2, 2020

Conversation

shamatar
Copy link
Contributor

This PR perform the following updates and corrections:

  • Cost of subgroup check using fixed scalar multiplication was not properly accounted in pairing operation (trick for fast BLS12 subgroup check by Sean Bowe paper may be patent clashing until 25th of September)
  • BLS12-381 and BLS12-377 have extension tower structures that allow to eliminate quite a few mathematical operations (use negation instead of multiplication, eliminate few multiplications by 0), so costs of operations involving extensions Fp2/Fp6/Fp12 is reduced, namely G2 multiplications/multiexps, pairings and mapping Fp2 to G2

@prestwich prestwich mentioned this pull request Sep 24, 2020
Closed
@shamatar shamatar mentioned this pull request Oct 1, 2020
Closed
@Souptacular Souptacular marked this pull request as ready for review October 1, 2020 20:55
@Souptacular
Copy link
Contributor

Apologies @shamatar, I accidentally hit "Ready for Review". Is this ready? If not feel free to leave a comment and remove it from that state.

@shemnon
Copy link
Contributor

shemnon commented Oct 1, 2020
edited
Loading

I've run the most current matterlabs EIP2537 code in besu, and I think the proposed parings costing is too low.

BNADD
BNADD for 138 gas.  Charging 150 gas.
BNMUL
BNMUL for 5,151 gas.  Charging 6,000 gas.
G1Add
G1ADD for 318 gas. Charging 600 gas.
G1Mul
G1MUL for 9,491 gas.  Charging 12,000 gas.
G1Multiexp
G1MULTIEXP 1 for 11,345 gas.  Charging 14,400 gas.
G1MULTIEXP 2 for 17,125 gas.  Charging 21,312 gas.
G1MULTIEXP 3 for 20,807 gas.  Charging 27,504 gas.
G1MULTIEXP 4 for 24,242 gas.  Charging 30,768 gas.
G1MULTIEXP 5 for 26,995 gas.  Charging 35,640 gas.
G2Add
G2ADD for 494 gas.  Charging 4,500 gas.
G2Mul
G2MUL for 42,565 gas.  Charging 45,000 gas.
G2Multiexp
G2MULTIEXP 1 for 49,301 gas.  Charging 66,000 gas.
G2MULTIEXP 2 for 77,122 gas.  Charging 97,680 gas.
G2MULTIEXP 3 for 106,265 gas.  Charging 126,060 gas.
G2MULTIEXP 4 for 109,732 gas.  Charging 141,020 gas.
G2MULTIEXP 5 for 123,491 gas.  Charging 163,350 gas.
BLS Pairing
BLS pairings 2 pairs for 120,033 gas.  Charging 108,000 gas.
BLS pairings 4 pairs for 150,264 gas.  Charging 151,000 gas.
BLS pairings 6 pairs for 208,851 gas.  Charging 194,000 gas.
MapFPtoG1
MAPFPTOG1 for 3,780 gas.  Charging 5,500 gas.
MapFP2toG2
MAPFP2TOG2 for 69,635 gas.  Charging 75,000 gas.

As an aside, the G2Add looks crazy high. Do I have a good sample vector? shemnon/besu@8c5185e#diff-deeb9a7636367c0fa3f1d0f88fd6d158R252

@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020
edited
Loading

I'll check the case of G2 addition, but updated prices should be used in conjunction with the improvements in the "tuning" branch of the 1962 code, so you will easily fit into pairing prices. Go implementation used these optimizations from day one cause it is properly specialized. Sams should apply to e.g. BLST or MCL.

@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020

Apologies @shamatar, I accidentally hit "Ready for Review". Is this ready? If not feel free to leave a comment and remove it from that state.

It is ready, but I keep is as draft until there is a decision whether updated prices should go into YoloV2 or later.

@shemnon
Copy link
Contributor

shemnon commented Oct 2, 2020

That branch lacks the 196/197 code. Numbers are all below curve, but I'm running on an i7, so we really need some standard "baseline" cpu (like a t3.micro), or some reference function that should consume some tuned amount of gas, that these should be run on.

G1Add
G1ADD for 321 gas. Charging 600 gas.
G1Mul
G1MUL for 9,778 gas.  Charging 12,000 gas.
G1Multiexp
G1MULTIEXP 1 for 11,781 gas.  Charging 14,400 gas.
G1MULTIEXP 2 for 17,937 gas.  Charging 21,312 gas.
G1MULTIEXP 3 for 21,462 gas.  Charging 27,504 gas.
G1MULTIEXP 4 for 25,278 gas.  Charging 30,768 gas.
G1MULTIEXP 5 for 28,216 gas.  Charging 35,640 gas.
G2Add
G2ADD for 494 gas.  Charging 4,500 gas.
G2Mul
G2MUL for 33,674 gas.  Charging 45,000 gas.
G2Multiexp
G2MULTIEXP 1 for 40,330 gas.  Charging 66,000 gas.
G2MULTIEXP 2 for 63,030 gas.  Charging 97,680 gas.
G2MULTIEXP 3 for 76,663 gas.  Charging 126,060 gas.
G2MULTIEXP 4 for 88,336 gas.  Charging 141,020 gas.
G2MULTIEXP 5 for 111,695 gas.  Charging 163,350 gas.
BLS Pairing
BLS pairings 2 pairs for 89,682 gas.  Charging 108,000 gas.
BLS pairings 4 pairs for 121,400 gas.  Charging 151,000 gas.
BLS pairings 6 pairs for 161,532 gas.  Charging 194,000 gas.
MapFPtoG1
MAPFPTOG1 for 3,859 gas.  Charging 5,500 gas.
MapFP2toG2
MAPFP2TOG2 for 52,806 gas.  Charging 75,000 gas.

@eip-automerger eip-automerger merged commit 19afcb1 into ethereum:master Oct 2, 2020
shamatar added a commit to matter-labs-forks/EIPs that referenced this pull request Oct 2, 2020
@shamatar
Revert "Automatically merged updates to draft EIP(s) 2537, 2539 (ethe…
9bc8273 
…reum#2999)"

This reverts commit 19afcb1.
@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020

Hm, "tuning" branch should have 196/197 code as it was branched from master after the addition of eip-196 there.

My "reference" machine is i9 with 2.9 GHz and no turbo-boost that gives a constant around 30 MGas/second. So I give it a margin of 15% on top and round up.

Looking at G2 addition and trying to understand why price was made so high. My benchmarks also suggest that it should be cheaper.

@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020

Oh, bot has merged it...

@shamatar shamatar mentioned this pull request Oct 2, 2020
Merged
@MicahZoltu
Copy link
Contributor

If the PR is authored by one of the EIP authors, or an EIP author approves the PR then it will get automerged. If you want to prevent that, mark the PR as a draft.

@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020

Can someone re-open it? I've initially kept it as a draft for this purpose exactly, but unless I've done it by accident I didn't click any "approve" button.

@shamatar
Copy link
Contributor Author

shamatar commented Oct 2, 2020
edited
Loading

Looks like G1ADD can go down to 500 and G2ADD can be made 750 gas, that's actually a good catch.

@Souptacular Souptacular requested review from Souptacular and removed request for Souptacular October 2, 2020 17:18
tkstanczak pushed a commit to tkstanczak/EIPs that referenced this pull request Nov 7, 2020
@shamatar @tkstanczak
Automatically merged updates to draft EIP(s) 2537, 2539 (ethereum#2999)
e6364ca 
Hi, I'm a bot! This change was automatically merged because:

 - It only modifies existing Draft or Last Call EIP(s)
 - The PR was approved or written by at least one author of each modified EIP
 - The build is passing
Arachnid pushed a commit to Arachnid/EIPs that referenced this pull request Mar 6, 2021
@shamatar @Arachnid
Automatically merged updates to draft EIP(s) 2537, 2539 (ethereum#2999)
d1a60b8 
Hi, I'm a bot! This change was automatically merged because:

 - It only modifies existing Draft or Last Call EIP(s)
 - The PR was approved or written by at least one author of each modified EIP
 - The build is passing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@shamatar @Souptacular @shemnon @MicahZoltu @eip-automerger