From 5d9f96ac3ea3cf256dd159aaae6db1db4074f532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Mon, 23 Jul 2018 16:44:29 +0200 Subject: [PATCH 1/3] EIP-1014: Use keccak256 name instead of sha3 Do not refer to the hash function as `sha3` because it is SHA3. Use more precise `keccak256` name. --- EIPS/eip-1014.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/EIPS/eip-1014.md b/EIPS/eip-1014.md index da654104..c2279255 100644 --- a/EIPS/eip-1014.md +++ b/EIPS/eip-1014.md @@ -10,7 +10,7 @@ created: 2018-04-20 ### Specification -Adds a new opcode at 0xf5, which takes 4 stack arguments: endowment, memory_start, memory_length, salt. Behaves identically to CREATE, except using `sha3(msg.sender ++ salt ++ init_code)[12:]` instead of the usual sender-and-nonce-hash as the address where the contract is initialized at. +Adds a new opcode at 0xf5, which takes 4 stack arguments: endowment, memory_start, memory_length, salt. Behaves identically to CREATE, except using `keccak256(msg.sender ++ salt ++ init_code)[12:]` instead of the usual sender-and-nonce-hash as the address where the contract is initialized at. ### Motivation @@ -18,6 +18,6 @@ Allows interactions to (actually or counterfactually in channels) be made with a #### Option 2 -Use `sha3(0xff ++ msg.sender ++ salt ++ init_code)[12:]` +Use `keccak256(0xff ++ msg.sender ++ salt ++ init_code)[12:]` -Rationale: ensures that addresses created with this scheme cannot collide with addresses created using the traditional `sha3(rlp([sender, nonce]))` formula, as 0xff can only be a starting byte for RLP for data many petabytes long. +Rationale: ensures that addresses created with this scheme cannot collide with addresses created using the traditional `keccak256(rlp([sender, nonce]))` formula, as 0xff can only be a starting byte for RLP for data many petabytes long. From f29527ab39357548b06b29e937a48f06ae099de7 Mon Sep 17 00:00:00 2001 From: BinaryQuasar <35580723+BinaryQuasar@users.noreply.github.com> Date: Wed, 26 Sep 2018 06:52:36 +0200 Subject: [PATCH 2/3] Automatically merged updates to draft EIP(s) 712 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing --- EIPS/eip-712.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/EIPS/eip-712.md b/EIPS/eip-712.md index 17f6fad1..9637275f 100644 --- a/EIPS/eip-712.md +++ b/EIPS/eip-712.md @@ -67,7 +67,7 @@ A good hashing algorithm should satisfy security properties such as determinism, ### Transactions and bytestrings -An illustrative example of the above breakage can be found in Ethereum. Ethereum has two kinds of messages, transactions `𝕋` and bytestrings `𝔹⁸ⁿ`. These are signed using `eth_sendTransaction` and `eth_sign` respectively. Originally the encoding function `encode : 𝕋 ∪ 𝔹⁸ⁿ → 𝔹⁸ⁿ` was as defined as follows: +An illustrative example of the above breakage can be found in Ethereum. Ethereum has two kinds of messages, transactions `𝕋` and bytestrings `𝔹⁸ⁿ`. These are signed using `eth_sendTransaction` and `eth_sign` respectively. Originally the encoding function `encode : 𝕋 ∪ 𝔹⁸ⁿ → 𝔹⁸ⁿ` was defined as follows: * `encode(t : 𝕋) = RLP_encode(t)` * `encode(b : 𝔹⁸ⁿ) = b` @@ -93,7 +93,7 @@ Both determinism and injectiveness would be trivially true if `len(b)` was left The `eth_sign` call assumes messages to be bytestrings. In practice we are not hashing bytestrings but the collection of all semantically different messages of all different DApps `𝕄`. Unfortunately, this set is impossible to formalize. Instead we approximate it with the set of typed named structures `𝕊`. This standard formalizes the set `𝕊` and provides a deterministic injective encoding function for it. -Just encoding structs is not enough. It is likely that two different DApps use identical structs. When this happens, a signed message intended for one DApp would also be valid for the other. The signatures are compatible. This can be intended behaviour, in which case everything is fine as long as the DApps took replay attacks into consideration. If it is not intended, there is a security problem. +Just encoding structs is not enough. It is likely that two different DApps use identical structs. When this happens, a signed message intended for one DApp would also be valid for the other. The signatures are compatible. This can be intended behaviour, in which case everything is fine as long as the DApps took replay attacks into consideration. If it is not intended, there is a security problem. The way to solve this is by introducing a domain separator, a 256-bit number. This is a value unique to each domain that is 'mixed in' the signature. It makes signatures from different domains incompatible. The domain separator is designed to include bits of DApp unique information such as the name of the DApp, the intended validator contract address, the expected DApp domain name, etc. The user and user-agent can use this information to mitigate phishing attacks, where a malicious DApp tries to trick the user into signing a message for another DApp. @@ -157,7 +157,7 @@ If the struct type references other struct types (and these in turn reference ev ### Definition of `encodeData` -The encoding of a struct instance is `enc(value₁) ‖ enc(value₂) ‖ … ‖ enc(valueₙ)`, i.e. the concatenation of the encoded of the member values in the order that they apear in the type. Each encoded member value is exactly 32-byte long. +The encoding of a struct instance is `enc(value₁) ‖ enc(value₂) ‖ … ‖ enc(valueₙ)`, i.e. the concatenation of the encoded member values in the order that they apear in the type. Each encoded member value is exactly 32-byte long. The atomic values are encoded as follows: Boolean `false` and `true` are encoded as `uint256` values `0` and `1` respectively. Addresses are encoded as `uint160`. Integer values are sign-extended to 256-bit and encoded in big endian order. `bytes1` to `bytes31` are arrays with a beginning (index `0`) and an end (index `length - 1`), they are zero-padded at the end to `bytes32` and encoded in beginning to end order. This corresponds to their encoding in ABI v1 and v2. @@ -262,7 +262,7 @@ Result: } ``` -An example how to use solidity ecrecover to verify the signature calculated with `eth_signTypedData` can be found in the EIP712 [Example.js][example-js]. The contract is deployed on the testnet Ropsten and Rinkeby. +An example how to use Solidity ecrecover to verify the signature calculated with `eth_signTypedData` can be found in the EIP712 [Example.js][example-js]. The contract is deployed on the testnet Ropsten and Rinkeby. [example-js]: https://github.com/ethereum/EIPs/blob/master/assets/eip-712/Example.js @@ -326,9 +326,9 @@ The domain separator prevents collision of otherwise identical structures. It is The domain separator also allows for multiple distinct signatures use-cases on the same struct instance within a given DApp. In the previous example, perhaps signatures from both `from` and `to` are required. By providing two distinct domain separators these signatures can be distinguished from each other. -**Alternative 1**: Use the target contract address as domain separator. This solves the first problem, contracts coming up with identical types, but does not address second use-case. The standard does suggest implementors to use the target contract address where this is appropriate. +**Alternative 1**: Use the target contract address as domain separator. This solves the first problem, contracts coming up with identical types, but does not address the second use-case. The standard does suggest implementors to use the target contract address where this is appropriate. -The function `hashStruct` starts with a `typeHash` to separate types. By giving different types a different prefix the `encodeData` function only has to be injective for within a given type. It is okay for `encodeData(a)` to equal `encodeData(b)` as long as `typeOf(a)` is not `typeOf(b)`. +The function `hashStruct` starts with a `typeHash` to separate types. By giving different types a different prefix the `encodeData` function only has to be injective within a given type. It is okay for `encodeData(a)` to equal `encodeData(b)` as long as `typeOf(a)` is not `typeOf(b)`. ### Rationale for `typeHash` @@ -339,11 +339,11 @@ bytes32 constant MAIL_TYPEHASH = keccak256( "Mail(address from,address to,string contents)"); ``` -For the type hash several alternatives where considered and rejected for the reasons: +For the type hash several alternatives were considered and rejected for the reasons: **Alternative 2**: Use ABIv2 function signatures. `bytes4` is not enough to be collision resistant. Unlike function signatures, there is negligible runtime cost incurred by using longer hashes. -**Alternative 3**: ABIv2 function signatures modified to be 256-bit. While this captures type info, it does not capture any of the semantics other than the function. This is already causing a practical collision between ERC20's and ERC721's `transfer(address,uint256)`, where in the former the `uint256` revers to an amount and the latter to a unique id. In general ABIv2 favors compatibility where a hashing standard should prefer incompatibility. +**Alternative 3**: ABIv2 function signatures modified to be 256-bit. While this captures type info, it does not capture any of the semantics other than the function. This is already causing a practical collision between ERC20's and ERC721's `transfer(address,uint256)`, where in the former the `uint256` refers to an amount and the latter to a unique id. In general ABIv2 favors compatibility where a hashing standard should prefer incompatibility. **Alternative 4**: 256-bit ABIv2 signatures extended with parameter names and struct names. The `Mail` example from a above would be encoded as `Mail(Person(string name,address wallet) from,Person(string name,address wallet) to,string contents)`. This is longer than the proposed solution. And indeed, the length of the string can grow exponentially in the length of the input (consider `struct A{B a;B b;}; struct B {C a;C b;}; …`). It also does not allow a recursive struct type (consider `struct List {uint256 value; List next;}`). @@ -392,7 +392,7 @@ function hashStruct(Mail memory mail) pure returns (bytes32 hash) { } ``` -The in-place implementation makes strong but reasonable assumptions on the memory layout of structs in memory. Specifically it assume structs are not allocated below address 32, that members are stored in order, that all values are padded to 32-byte boundaries, and that dynamic and reference types are stored as a 32-byte pointers. +The in-place implementation makes strong but reasonable assumptions on the memory layout of structs in memory. Specifically it assumes structs are not allocated below address 32, that members are stored in order, that all values are padded to 32-byte boundaries, and that dynamic and reference types are stored as a 32-byte pointers. **Alternative 6**: Tight packing. This is the default behaviour in Soldity when calling `keccak256` with multiple arguments. It minimizes the number of bytes to be hashed but requires complicated packing instructions in EVM to do so. It does not allow in-place computation. @@ -400,7 +400,7 @@ The in-place implementation makes strong but reasonable assumptions on the memor **Alternative 8**: Leave `typeHash` out of `hashStruct` and instead combine it with the domain separator. This is more efficient, but then the semantics of the Solidity `keccak256` hash function are not injective. -**Alternative 9**: Support cyclical data structures. The current standard is optimized for tree-like data structures and undefined for cyclical data structures. To support cyclical data a stack containing the path to the current node needs to be maintained and a stack offset substituted when a cycle is detected. This is prohibitively more complex to specify and implement. It also breaks composability where the hashes of the member values are used to construct the hash of the struct (the hash of the member values would dependent on the path). It is possible to extend the standard in a compatible way to define hashes of cyclical data. +**Alternative 9**: Support cyclical data structures. The current standard is optimized for tree-like data structures and undefined for cyclical data structures. To support cyclical data a stack containing the path to the current node needs to be maintained and a stack offset substituted when a cycle is detected. This is prohibitively more complex to specify and implement. It also breaks composability where the hashes of the member values are used to construct the hash of the struct (the hash of the member values would depend on the path). It is possible to extend the standard in a compatible way to define hashes of cyclical data. Similarly, a straightforward implementation is sub-optimal for directed acyclic graphs. A simple recursion through the members can visit the same node twice. Memoization can optimize this. @@ -408,7 +408,7 @@ Similarly, a straightforward implementation is sub-optimal for directed acyclic Since different domains have different needs, an extensible scheme is used where the DApp specifies a `EIP712Domain` struct type and an instance `eip712Domain` which it passes to the user-agent. The user-agent can then apply different verification measures depending on the fields that are there. -A field `string eip719dsl` can added and be rejected if the value does not match the hash of the [EIP-719][eip719] DSL interface string. +A field `string eip719dsl` can be added and be rejected if the value does not match the hash of the [EIP-719][eip719] DSL interface string. [eip719]: https://github.com/ethereum/EIPs/issues/719 @@ -424,7 +424,7 @@ The Solidity expression `keccak256(someInstance)` for an instance `someInstance` -An example contract can be found in [Example.sol][ex-sol] and an example implementation of signing in Javascrtip in [Example.js][ex-js] +An example contract can be found in [Example.sol][ex-sol] and an example implementation of signing in JavaScript in [Example.js][ex-js] [ex-sol]: https://github.com/ethereum/EIPs/blob/master/assets/eip-712/Example.sol [ex-js]: https://github.com/ethereum/EIPs/blob/master/assets/eip-712/Example.js From a181d1dd09f177d5479a89d2fa8958bf6e96158f Mon Sep 17 00:00:00 2001 From: pdyraga Date: Thu, 27 Sep 2018 00:21:36 +0200 Subject: [PATCH 3/3] Automatically merged updates to draft EIP(s) 1108 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing --- EIPS/eip-1108.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/EIPS/eip-1108.md b/EIPS/eip-1108.md index c034c4da..c702d25e 100644 --- a/EIPS/eip-1108.md +++ b/EIPS/eip-1108.md @@ -13,8 +13,12 @@ requires: 196, 197 Recent changes to the underlying library used by the official Go reference implementation led to significant performance gains for the `ECADD`, `ECMUL`, -and pairing check precompiled contracts on the `alt_bn128` elliptic curve, which -should be reflected in reduced gas costs. +and pairing check precompiled contracts on the `alt_bn128` elliptic curve. + +What is more, the performance boost for those operations can be also observed +for Parity client. + +Faster operations on Ethereum clients should be reflected in reduced gas costs. ## Motivation @@ -29,20 +33,30 @@ note](https://github.com/ethereum/go-ethereum/pull/16301#issuecomment-372687543) the computational cost of `ECADD`, `ECMUL`, and pairing checks (excepting the constant) has dropped roughly an order of magnitude across the board. +Also, [optimisations in the bn library](https://github.com/paritytech/bn/pull/9) +used by the [Parity client](https://github.com/paritytech/parity-ethereum) led to a +significant performance boost we +[benchmarked](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef) +and compared against the [previous +results](https://github.com/ethereum/benchmarking/blob/master/constantinople/analysis2.md). + ## Specification Following is a table with the current gas cost and new gas cost: | Contract | Address | Current Gas Cost | Updated Gas Cost | | ------------- | --------- | ----------------------------- | ------------------- | -| `ECADD` | `0x06` | 500[1] | 50 | -| `ECMUL` | `0x07` | 40 000[1] | 2 000 | -| Pairing check | `0x08` | 80 000k + 100 000[2]| 5 500k + 80 000 | +| `ECADD` | `0x06` | 500[1] | 150 | +| `ECMUL` | `0x07` | 40 000[1] | 6 000 | +| Pairing check | `0x08` | 80 000 * k + 100 000[2]| 28 300 * k + 35 450 | The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in EIP-196, while the gas costs for the pairing check are updates to the cost -listed in EIP-197. +listed in EIP-197. Updated gas costs have been adjusted to the less performant +client which is Parity, according to benchmarks[3]. [1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs). [2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification). + +[3]- [Parity benchmarks.](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef)