EIPs/EIPS/eip-2565.md

eip	title	author	discussions-to	status	review-period-end	type	category	created	requires
2565	Repricing of the EIP-198 ModExp precompile	Kelly Olson (@ineffectualproperty), Sean Gulley (@sean-sn), Simon Peffers (@simonatsn), Justin Drake (@justindrake), Dankrad Feist (@dankrad)	https://ethereum-magicians.org/t/big-integer-modular-exponentiation-eip-198-gas-cost/4150	Last Call	2020-07-31	Standards Track	Core	2020-03-20	198

Simple Summary

The EIP-198 ‘big integer modular exponentiation’, or ModExp, precompile is currently overpriced. Re-pricing this precompile will enable more cost efficient verification of RSA signatures, verifiable delay functions (VDFs), primality checks, and more.

Abstract

After benchmarking the ModExp precompile, we discovered that it is ‘overpriced’ relative to other precompiles. We also discovered that the current gas pricing formula could be improved to better estimate the computational complexity of various ModExp input variables. To improve the gas cost pricing for this precompile the following options are available:

1. Modifying the gas pricing formula to better reflect the computational complexity of ModExp operations
2. Changing the value of the GQUADDIVISOR parameter in the ModExp pricing formula to bring its costs more in-line with other precompiles
3. Improving the underlying libraries beneath the ModExp Precompile
4. Any combination of (1), (2), and (3)

We recommend Option (1) and (2) which provides a large practical improvement to gas estimation while keeping implementation complexity low. Option (3) can be implemented at a later point to improve the gas pricing even further.

Motivation

Modular exponentiation is a foundational arithmetic operation for many cryptographic functions including signatures, VDFs, SNARKs, accumulators, and more. Unfortunately, the ModExp precompile is currently over-priced, making these operations inefficient and expensive. By reducing the cost of this precompile, these cryptographic functions become more practical, enabling improved security, stronger randomness (VDFs), and more.

Specification

The current gas pricing formula is defined in EIP-198. This formula divides a ‘computational complexity’ function by a ‘gas conversion’ parameter called GQUADDIVISOR to arrive at a gas cost: floor(mult_complexity(x)/GQUADDIVISOR)

Recommended Option (1): Modify ‘computational complexity’ function and add minimum gas cost

The current complexity function, as defined in EIP-198 is as follow:

def mult_complexity(x):
    if x <= 64: return x ** 2
    elif x <= 1024: return x ** 2 // 4 + 96 * x - 3072
    else: return x ** 2 // 16 + 480 * x - 199680

where is x is max(length_of_MODULUS, length_of_BASE)

This complexity formula was meant to approximate the difficulty of Karatsuba multiplication. However, we found a better approximation for modelling modular exponentiation. We recommend the following formula to better estimate the computational complexity for varying input values:

def mult_complexity(x):
    ceiling(x/64)^2

where is x is max(length_of_MODULUS, length_of_BASE). x is divided by 64 to account for the number of limbs in multiprecision arithmetic.

You can find comparison of these two complexity fomulas for the current test vectors as the following spreadsheet.

In addition to modifying the mult_complexity formula as above, we also recommend wrapping the entire function with a minimum gas price of 100 to ensure that a minimum amount of gas is used when the precompile is called e.g. max(100,floor(mult_complexity(x)/GQUADDIVISOR))

Recommended Option (2): Change value of GQUADDIVISOR

GQUADDIVISOR is set to 20 per EIP-198. We recommend changing the value of this parameter to 3 to account for the changes in the recommended 'computational complexity' formula above.

Option (3): Replace libraries used by ModExp precompiles

ModExp benchmarks for different libraries can be found at the following spreadsheet.

While alternative libraries can provide improved a further 2-5x improvement in performance, this option is not recommended at this time.

Rationale

Recommended Option (1): Modify ‘computational complexity’ formula

A comparison of the current ‘complexity’ function and the proposed function described above can be found at the following spreadsheet.

The new complexity function has a better fit vs. the execution time when compared to the current complexity function. This better fit is because the new complexity formula accounts for the use of binary exponentiation algorithms that are used by ‘bigint’ libraries for large exponents. You may also notice the regression line of the proposed complexity function bisects the test vector data points. This is because the run time varies depending on if the modulus is even or odd.

Recommended Option (2): Change value of GQUADDIVISOR:

After changing the 'computational complexity' formula it is necessary to change QGUADDIVSOR to bring the gas costs inline with their runtime. We recommend changing the value from '20' to '3'. With this change, the cost of the ModExp precompile will have a higher cost (gas/second) than other precompiles such as ECRecover.

Option (3): Improving the ModExp precompile implementations

Replacing the underlying library can improve the performance of the ModExp precompile by 2x-4x for large exponents, but comes at a high implementation cost. We do not recommend this option at this time.

Test Cases

There are no changes to the underlying interface or arithmetic algorithms, so the existing test vectors can be reused. Gas values will need to be updated in the existing unit tests based on the final pricing decided in this EIP. This will ensure that the updated gas calculations are done correctly.

Security Considerations

The biggest security consideration for this EIP is creating a potential DoS vector by making ModExp operations too inexpensive relative to their computation time.

References

EIP-198

Copyright

Copyright and related rights waived via CC0.