From 5aa728f00a41c3d0184ce09d3f96e5a18a800bd8 Mon Sep 17 00:00:00 2001 From: zac-williamson Date: Fri, 3 May 2019 12:29:22 +0100 Subject: [PATCH 1/8] EIP-1108 references latest pairing benchmarks - Several optimizations have been made to the Parity bn create - EIP-1108 references benchmarks that utilize this optimization - Projected gas costs have been updated to reflect benchmark - (benchmark at https://gist.github.com/zac-williamson/838419a3da179d47d31b25b586c15e53) - Added descriptions of projects that would benefit from EIP-1108, and how they could utilize this EIP --- EIPS/eip-1108.md | 54 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 9 deletions(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index c702d25e5f8f4..eaeec5b810a5c 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -1,7 +1,7 @@ --- eip: 1108 title: Reduce alt_bn128 precompile gas costs -author: Antonio Salazar Cardozo (@shadowfiend) +author: Antonio Salazar Cardozo (@shadowfiend), Zachary Williamson (@zac-williamson) status: Draft type: Standards Track category: Core @@ -11,12 +11,12 @@ requires: 196, 197 ## Short Description -Recent changes to the underlying library used by the official Go reference +Changes in 2018 to the underlying library used by the official Go reference implementation led to significant performance gains for the `ECADD`, `ECMUL`, and pairing check precompiled contracts on the `alt_bn128` elliptic curve. -What is more, the performance boost for those operations can be also observed -for Parity client. +In the Parity client, field operations used by the precompile algorithms were optimized in 2018, +and recent changes to the pairing algorithm used by the `bn` crate have brought considerable speedups. Faster operations on Ethereum clients should be reflected in reduced gas costs. @@ -33,12 +33,48 @@ note](https://github.com/ethereum/go-ethereum/pull/16301#issuecomment-372687543) the computational cost of `ECADD`, `ECMUL`, and pairing checks (excepting the constant) has dropped roughly an order of magnitude across the board. -Also, [optimisations in the bn library](https://github.com/paritytech/bn/pull/9) +Also, optimizations in the bn library [in 2018](https://github.com/paritytech/bn/pull/9) and [2019](https://github.com/paritytech/bn/pull/14) used by the [Parity client](https://github.com/paritytech/parity-ethereum) led to a significant performance boost we [benchmarked](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef) and compared against the [previous -results](https://github.com/ethereum/benchmarking/blob/master/constantinople/analysis2.md). +results](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53). + +## The Rationale Behind Lowering Gas Costs + +### Existing protocols would benefit immensely from cheaper elliptic curve cryptography + +Fast elliptic curve cryptography is a keystone of a number of protocols built on top of Ethereum. To list a few: + + [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard. + [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second + [Rollup](https://github.com/rollup/rollup) utilizes the precompiles to create L2 scaling solutions, where the correctness of transactions is gauranteed by main-net, without an additional consensus layer + [ZEther](https://crypto.stanford.edu/~buenz/papers/zether.pdf) uses precompiles `0x06` and `0x07` to construct confidential transactions + +These are all technologies that have been, or are in the process of being, deployed to main-net. There protocols would all benefit from reducing the gas cost of the precompiles. + +To give a concrete example, it currently costs `820,000` gas to validate the cryptography in a typical AZTEC confidential transaction. If the gas schedule for the precompiles correctly reflected their load on the Ethereum network, this cost would be `197,000` gas. This significantly increases the potential use cases for private assets on Ethereum. AZTEC has a number of cryptographic protocols that we plan deploy to Ethereum, but are at the limits of what is practical given the current precompile costs: + +* Confidential weighted voting +* Partial-order filling over encrypted orders, for private decentralized exchanges +* Anonymous identity sharing proofs (e.g. proving you are on a whitelist, without revealing who you are) +* Many-to-one payments and one-to-many confidential payments, as encrypted communication channels between main-net and L2 applications + +For ZK-SNARK based protocols on Ethereum, EIP-1108 will not only reduce the gas costs of verifying ZK-SNARKs substantially, but can also aid in [batching together multiple ZK-SNARK proofs](https://github.com/matter-labs/Groth16BatchVerifier). This is also a technique that can be used to split up monolithic ZK-SNARK circuits into a batch of ZK-SNARKs with smaller individual circuit sizes, which makes ZK-SNARKs both easier to construct and deploy. + +ZEther transactions currently cost ~`6,000,000` gas. This EIP would would reduce this to ~`1,000,000` gas, which makes the protocol more practical. + +To summarise, the are a number of protocols that currently exist on main-net, that would benefit immensely from this EIP. Elliptic curve cryptography can provide valuable solutions for Ethereum, such as scaling and privacy, and the scope and scale of these solutions can be increased if the gas costs for the `bn128` precompiles accurately reflects their computational load on the network. + +### Cheaper elliptic curve cryptography can be used to trade storage for computation + +Solutions such as Rollup and Ignis can be used to batch groups of individal transactions into a zk-snark proof, with the on-chain state being represented by a small Merkle root, instead of a large number of account balances. + +If ZK-SNARK verification costs are decreased, these solutions can be deployed for a wider range of use cases and more Rollup-style transactions can be processed per block. + +### Parity and Geth already have fast algorithms that justify reduced gas costs + +This EIP does not require Parith or Geth to deploy new cryptographic libraries, as fast bn128 algorithms have already been integrated into these clients. This goal of proposing this EIP for Istanbul, is to supplement [EIP-1829](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1829.md) (arithmetic over generic elliptic curves), providing an immediate solution to the pressing problem of expensive cryptography, while more advanced solutions are developed, defined and deployed. ## Specification @@ -48,15 +84,15 @@ Following is a table with the current gas cost and new gas cost: | ------------- | --------- | ----------------------------- | ------------------- | | `ECADD` | `0x06` | 500[1] | 150 | | `ECMUL` | `0x07` | 40 000[1] | 6 000 | -| Pairing check | `0x08` | 80 000 * k + 100 000[2]| 28 300 * k + 35 450 | +| Pairing check | `0x08` | 80 000 * k + 100 000[2]| 34 000 * k + 45 000 | The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in EIP-196, while the gas costs for the pairing check are updates to the cost listed in EIP-197. Updated gas costs have been adjusted to the less performant -client which is Parity, according to benchmarks[3]. +client which is Parity, according to benchmarks[3]. The updated gas costs are scaled relative to the `ecrecover` precompile. [1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs). [2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification). -[3]- [Parity benchmarks.](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef) +[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) \ No newline at end of file From 453ada8382cf9a953798952879fa8b3963219222 Mon Sep 17 00:00:00 2001 From: Antonio Salazar Cardozo Date: Fri, 3 May 2019 14:25:23 +0100 Subject: [PATCH 2/8] Update EIPS/eip-1108.md Co-Authored-By: zac-williamson --- EIPS/eip-1108.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index eaeec5b810a5c..d3e9be21c95b1 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -53,7 +53,7 @@ Fast elliptic curve cryptography is a keystone of a number of protocols built on These are all technologies that have been, or are in the process of being, deployed to main-net. There protocols would all benefit from reducing the gas cost of the precompiles. -To give a concrete example, it currently costs `820,000` gas to validate the cryptography in a typical AZTEC confidential transaction. If the gas schedule for the precompiles correctly reflected their load on the Ethereum network, this cost would be `197,000` gas. This significantly increases the potential use cases for private assets on Ethereum. AZTEC has a number of cryptographic protocols that we plan deploy to Ethereum, but are at the limits of what is practical given the current precompile costs: +To give a concrete example, it currently costs `820,000` gas to validate the cryptography in a typical AZTEC confidential transaction. If the gas schedule for the precompiles correctly reflected their load on the Ethereum network, this cost would be `197,000` gas. This significantly increases the potential use cases for private assets on Ethereum. AZTEC is planning to deploy a number of cryptographic protocols Ethereum, but these are at the limits of what is practical given the current precompile costs: * Confidential weighted voting * Partial-order filling over encrypted orders, for private decentralized exchanges @@ -95,4 +95,4 @@ client which is Parity, according to benchmarks[3]. The updated gas c [2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification). -[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) \ No newline at end of file +[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) From 4639e2da75f084d4f412348b5b8c18913c2a6412 Mon Sep 17 00:00:00 2001 From: Antonio Salazar Cardozo Date: Fri, 3 May 2019 14:25:30 +0100 Subject: [PATCH 3/8] Update EIPS/eip-1108.md Co-Authored-By: zac-williamson --- EIPS/eip-1108.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index d3e9be21c95b1..f9d8431344765 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -70,7 +70,7 @@ To summarise, the are a number of protocols that currently exist on main-net, th Solutions such as Rollup and Ignis can be used to batch groups of individal transactions into a zk-snark proof, with the on-chain state being represented by a small Merkle root, instead of a large number of account balances. -If ZK-SNARK verification costs are decreased, these solutions can be deployed for a wider range of use cases and more Rollup-style transactions can be processed per block. +If zk-SNARK verification costs are decreased, these solutions can be deployed for a wider range of use cases and more Rollup-style transactions can be processed per block. ### Parity and Geth already have fast algorithms that justify reduced gas costs From 929707cff83d065138d6437cc010db9128d12040 Mon Sep 17 00:00:00 2001 From: Antonio Salazar Cardozo Date: Fri, 3 May 2019 14:25:36 +0100 Subject: [PATCH 4/8] Update EIPS/eip-1108.md Co-Authored-By: zac-williamson --- EIPS/eip-1108.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index f9d8431344765..f9cd573e6e28d 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -68,7 +68,7 @@ To summarise, the are a number of protocols that currently exist on main-net, th ### Cheaper elliptic curve cryptography can be used to trade storage for computation -Solutions such as Rollup and Ignis can be used to batch groups of individal transactions into a zk-snark proof, with the on-chain state being represented by a small Merkle root, instead of a large number of account balances. +Solutions such as Rollup and Ignis can be used to batch groups of individal transactions into a zk-SNARK proof, with the on-chain state being represented by a small Merkle root, instead of a large number of account balances. If zk-SNARK verification costs are decreased, these solutions can be deployed for a wider range of use cases and more Rollup-style transactions can be processed per block. From 005e3f2c9992fb7fdcfce8a8fe14e1892324e25e Mon Sep 17 00:00:00 2001 From: Antonio Salazar Cardozo Date: Fri, 3 May 2019 14:25:45 +0100 Subject: [PATCH 5/8] Update EIPS/eip-1108.md Co-Authored-By: zac-williamson --- EIPS/eip-1108.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index f9cd573e6e28d..57e83824a4daa 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -60,7 +60,7 @@ To give a concrete example, it currently costs `820,000` gas to validate the cry * Anonymous identity sharing proofs (e.g. proving you are on a whitelist, without revealing who you are) * Many-to-one payments and one-to-many confidential payments, as encrypted communication channels between main-net and L2 applications -For ZK-SNARK based protocols on Ethereum, EIP-1108 will not only reduce the gas costs of verifying ZK-SNARKs substantially, but can also aid in [batching together multiple ZK-SNARK proofs](https://github.com/matter-labs/Groth16BatchVerifier). This is also a technique that can be used to split up monolithic ZK-SNARK circuits into a batch of ZK-SNARKs with smaller individual circuit sizes, which makes ZK-SNARKs both easier to construct and deploy. +For zk-SNARK based protocols on Ethereum, EIP-1108 will not only reduce the gas costs of verifying zk-SNARKs substantially, but can also aid in [batching together multiple zk-SNARK proofs](https://github.com/matter-labs/Groth16BatchVerifier). This is also a technique that can be used to split up monolithic zk-SNARK circuits into a batch of zk-SNARKs with smaller individual circuit sizes, which makes zk-SNARKs both easier to construct and deploy. ZEther transactions currently cost ~`6,000,000` gas. This EIP would would reduce this to ~`1,000,000` gas, which makes the protocol more practical. From d64c8e89a9c734d178a2712858232fd9479a9842 Mon Sep 17 00:00:00 2001 From: zac-williamson Date: Fri, 3 May 2019 14:54:54 +0100 Subject: [PATCH 6/8] EIP-1108: Fixed spelling and grammar --- EIPS/eip-1108.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index 57e83824a4daa..6ac0628bb6546 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -44,7 +44,7 @@ results](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53 ### Existing protocols would benefit immensely from cheaper elliptic curve cryptography -Fast elliptic curve cryptography is a keystone of a number of protocols built on top of Ethereum. To list a few: +Fast elliptic curve cryptography is a keystone of a growing number of protocols built on top of Ethereum. To list a few: [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard. [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second @@ -53,7 +53,7 @@ Fast elliptic curve cryptography is a keystone of a number of protocols built on These are all technologies that have been, or are in the process of being, deployed to main-net. There protocols would all benefit from reducing the gas cost of the precompiles. -To give a concrete example, it currently costs `820,000` gas to validate the cryptography in a typical AZTEC confidential transaction. If the gas schedule for the precompiles correctly reflected their load on the Ethereum network, this cost would be `197,000` gas. This significantly increases the potential use cases for private assets on Ethereum. AZTEC is planning to deploy a number of cryptographic protocols Ethereum, but these are at the limits of what is practical given the current precompile costs: +To give a concrete example, it currently costs `820,000` gas to validate the cryptography in a typical AZTEC confidential transaction. If the gas schedule for the precompiles correctly reflected their load on the Ethereum network, this cost would be `197,000` gas. This significantly increases the potential use cases for private assets on Ethereum. AZTEC is planning to deploy several cryptographic protocols Ethereum, but these are at the limits of what is practical given the current precompile costs: * Confidential weighted voting * Partial-order filling over encrypted orders, for private decentralized exchanges @@ -62,19 +62,19 @@ To give a concrete example, it currently costs `820,000` gas to validate the cry For zk-SNARK based protocols on Ethereum, EIP-1108 will not only reduce the gas costs of verifying zk-SNARKs substantially, but can also aid in [batching together multiple zk-SNARK proofs](https://github.com/matter-labs/Groth16BatchVerifier). This is also a technique that can be used to split up monolithic zk-SNARK circuits into a batch of zk-SNARKs with smaller individual circuit sizes, which makes zk-SNARKs both easier to construct and deploy. -ZEther transactions currently cost ~`6,000,000` gas. This EIP would would reduce this to ~`1,000,000` gas, which makes the protocol more practical. +ZEther transactions currently cost ~`6,000,000` gas. This EIP would reduce this to ~`1,000,000` gas, which makes the protocol more practical. -To summarise, the are a number of protocols that currently exist on main-net, that would benefit immensely from this EIP. Elliptic curve cryptography can provide valuable solutions for Ethereum, such as scaling and privacy, and the scope and scale of these solutions can be increased if the gas costs for the `bn128` precompiles accurately reflects their computational load on the network. +To summarise, there are several protocols that currently exist on main-net, that would benefit immensely from this EIP. Elliptic curve cryptography can provide valuable solutions for Ethereum, such as scaling and privacy, and the scope and scale of these solutions can be increased if the gas costs for the `bn128` precompiles accurately reflects their computational load on the network. ### Cheaper elliptic curve cryptography can be used to trade storage for computation -Solutions such as Rollup and Ignis can be used to batch groups of individal transactions into a zk-SNARK proof, with the on-chain state being represented by a small Merkle root, instead of a large number of account balances. +Solutions such as Rollup and Ignis can be used to batch groups of individual transactions into a zk-SNARK proof, with the on-chain state being represented by a small Merkle root, instead of multiple account balances. If zk-SNARK verification costs are decreased, these solutions can be deployed for a wider range of use cases and more Rollup-style transactions can be processed per block. ### Parity and Geth already have fast algorithms that justify reduced gas costs -This EIP does not require Parith or Geth to deploy new cryptographic libraries, as fast bn128 algorithms have already been integrated into these clients. This goal of proposing this EIP for Istanbul, is to supplement [EIP-1829](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1829.md) (arithmetic over generic elliptic curves), providing an immediate solution to the pressing problem of expensive cryptography, while more advanced solutions are developed, defined and deployed. +This EIP does not require Parity or Geth to deploy new cryptographic libraries, as fast bn128 algorithms have already been integrated into these clients. This goal of proposing this EIP for Istanbul, is to supplement [EIP-1829](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1829.md) (arithmetic over generic elliptic curves), providing an immediate solution to the pressing problem of expensive cryptography, while more advanced solutions are developed, defined and deployed. ## Specification From c2f4bba15d44ad168d2669a6357b4eaa32a0dd96 Mon Sep 17 00:00:00 2001 From: zac-williamson Date: Sat, 4 May 2019 11:16:17 +0100 Subject: [PATCH 7/8] EIP-1108 - updated formatting The formatting of the EIP has been modified to mirror EIP-X Benchmarks referenced the wrong links, these have been swapped Added example implementations of the bn128 curve Expanded rationale behind scaling gas costs relative to `ecrecover` --- EIPS/eip-1108.md | 65 +++++++++++++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 23 deletions(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index 6ac0628bb6546..d6442879094e5 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -9,7 +9,11 @@ created: 2018-05-21 requires: 196, 197 --- -## Short Description +## Simple Summary + +The elliptic curve arithmetic precompiles are currently overpriced. Re-pricing the precompiles would greatly assist a number of privacy solutions and scaling solutions on Ethereum. + +## Abstract Changes in 2018 to the underlying library used by the official Go reference implementation led to significant performance gains for the `ECADD`, `ECMUL`, @@ -36,20 +40,42 @@ constant) has dropped roughly an order of magnitude across the board. Also, optimizations in the bn library [in 2018](https://github.com/paritytech/bn/pull/9) and [2019](https://github.com/paritytech/bn/pull/14) used by the [Parity client](https://github.com/paritytech/parity-ethereum) led to a significant performance boost we -[benchmarked](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef) +[benchmarked](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) and compared against the [previous -results](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53). +results](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef). + + +## Specification -## The Rationale Behind Lowering Gas Costs +Following is a table with the current gas cost and new gas cost: + +| Contract | Address | Current Gas Cost | Updated Gas Cost | +| ------------- | --------- | ----------------------------- | ------------------- | +| `ECADD` | `0x06` | 500[1] | 150 | +| `ECMUL` | `0x07` | 40 000[1] | 6 000 | +| Pairing check | `0x08` | 80 000 * k + 100 000[2]| 34 000 * k + 45 000 | + +The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in +EIP-196, while the gas costs for the pairing check are updates to the cost +listed in EIP-197. Updated gas costs have been adjusted to the less performant +client which is Parity, according to benchmarks[3]. The updated gas costs are scaled relative to the `ecrecover` precompile. i.e. in the benchmark, `ecrecover` ran in 116 microseconds. If we consider 3,000 gas the fair price for `ecrecover`, we can obtain a metric how much gas should be charged per microsecond of an algorithm's runtime, and use that to price the elliptic curve precompiles. + +[1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs). + +[2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification). + +[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) + +## Rationale ### Existing protocols would benefit immensely from cheaper elliptic curve cryptography Fast elliptic curve cryptography is a keystone of a growing number of protocols built on top of Ethereum. To list a few: - [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard. - [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second - [Rollup](https://github.com/rollup/rollup) utilizes the precompiles to create L2 scaling solutions, where the correctness of transactions is gauranteed by main-net, without an additional consensus layer - [ZEther](https://crypto.stanford.edu/~buenz/papers/zether.pdf) uses precompiles `0x06` and `0x07` to construct confidential transactions +* [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard. +* [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second +* [Rollup](https://github.com/rollup/rollup) utilizes the precompiles to create L2 scaling solutions, where the correctness of transactions is gauranteed by main-net, without an additional consensus layer +* [ZEther](https://crypto.stanford.edu/~buenz/papers/zether.pdf) uses precompiles `ECADD` and `ECMUL` to construct confidential transactions These are all technologies that have been, or are in the process of being, deployed to main-net. There protocols would all benefit from reducing the gas cost of the precompiles. @@ -76,23 +102,16 @@ If zk-SNARK verification costs are decreased, these solutions can be deployed fo This EIP does not require Parity or Geth to deploy new cryptographic libraries, as fast bn128 algorithms have already been integrated into these clients. This goal of proposing this EIP for Istanbul, is to supplement [EIP-1829](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1829.md) (arithmetic over generic elliptic curves), providing an immediate solution to the pressing problem of expensive cryptography, while more advanced solutions are developed, defined and deployed. -## Specification -Following is a table with the current gas cost and new gas cost: - -| Contract | Address | Current Gas Cost | Updated Gas Cost | -| ------------- | --------- | ----------------------------- | ------------------- | -| `ECADD` | `0x06` | 500[1] | 150 | -| `ECMUL` | `0x07` | 40 000[1] | 6 000 | -| Pairing check | `0x08` | 80 000 * k + 100 000[2]| 34 000 * k + 45 000 | +## Test Cases -The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in -EIP-196, while the gas costs for the pairing check are updates to the cost -listed in EIP-197. Updated gas costs have been adjusted to the less performant -client which is Parity, according to benchmarks[3]. The updated gas costs are scaled relative to the `ecrecover` precompile. +As no underlying algorithms are not being changed, there are no additional test cases to specify. -[1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs). +## Implementation -[2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification). +Both the Parity and Geth clients have already implemented cryptographic libraries that are fast enough to justify reducing the precompile gas costs. As a reference, here are a list of elliptic curve libraries, in `C++`, `golang` and `rust`, that support the `bn128` curve, and have run-times that are equal to or faster than the Parity benchmarks. -[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) +* [Parity bn crate (rust)](https://github.com/paritytech/bn) +* [Geth bn256 library (golang)](https://github.com/ethereum/go-ethereum/tree/master/crypto/bn256/cloudflare) +* [MCL, a portable C++ pairing library](https://github.com/herumi/mcl) +* [Libff, a C++ pairing library used in many zk-SNARK libraries](https://github.com/scipr-lab/libff) From e81104b20f9c4794167dbad9d76e13fd5eb3f3e5 Mon Sep 17 00:00:00 2001 From: zac-williamson Date: Sat, 4 May 2019 11:19:50 +0100 Subject: [PATCH 8/8] added `discussions-to` field in header --- EIPS/eip-1108.md | 1 + 1 file changed, 1 insertion(+) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index d6442879094e5..94fcdf69e7f82 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -2,6 +2,7 @@ eip: 1108 title: Reduce alt_bn128 precompile gas costs author: Antonio Salazar Cardozo (@shadowfiend), Zachary Williamson (@zac-williamson) +discussions-to: https://ethereum-magicians.org/t/eip-1108-reduce-alt-bn128-precompile-gas-costs/3206 status: Draft type: Standards Track category: Core