-
Notifications
You must be signed in to change notification settings - Fork 35.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
script/sign: avoid duplicated signature verification after signing (+introduce signing benchmarks) #28923
base: master
Are you sure you want to change the base?
script/sign: avoid duplicated signature verification after signing (+introduce signing benchmarks) #28923
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsNo conflicts as of last run. |
45f890e
to
18185f4
Compare
Concept ACK |
18185f4
to
9cfa1fb
Compare
Rebased on master, CI should be green now (there was a silent merge conflict in the benchmark due to a change in the |
Does this reduce our safety against memory corruption or similar? |
I don't think so, at least I don't see how verifying a created signature twice in a row has any benefit over doing it only once. |
9cfa1fb
to
90469c8
Compare
src/bench/sign_transaction.cpp
Outdated
{ | ||
ECC_Start(); | ||
|
||
FillableSigningProvider keystore; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would suggest to use FlatSigningProvider
instead (see #28307).
It will also save you one extra GetScriptForDestination
call per created key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have to admit that I'm lacking knowledge here about the concrete differences between FillableSigningProvider
and FlatSigningProvider
, especially about the possible benefits of the latter in this PR. AFAIR, I chose the fillable provider as it provides a nice interface (.AddKey()
), which the flat one doesn't. The following patch works:
diff --git a/src/bench/sign_transaction.cpp b/src/bench/sign_transaction.cpp
index 8cb5e63882..8bd2ecbcd0 100644
--- a/src/bench/sign_transaction.cpp
+++ b/src/bench/sign_transaction.cpp
@@ -23,7 +23,7 @@ static void SignTransactionSingleInput(benchmark::Bench& bench, InputType input_
{
ECC_Start();
- FillableSigningProvider keystore;
+ FlatSigningProvider keystore;
std::vector<CScript> prev_spks;
// Create a bunch of keys / UTXOs to avoid signing with the same key repeatedly
@@ -31,7 +31,9 @@ static void SignTransactionSingleInput(benchmark::Bench& bench, InputType input_
CKey privkey;
privkey.MakeNewKey(/*fCompressed=*/true);
CPubKey pubkey = privkey.GetPubKey();
- keystore.AddKey(privkey);
+ CKeyID key_id = pubkey.GetID();
+ keystore.keys.emplace(key_id, privkey);
+ keystore.pubkeys.emplace(key_id, pubkey);
// Create specified locking script type
CScript prev_spk;
Is there anything more that could be changed? I don't see how it makes the derivation of the outpoint scriptPubKey (needed for the map of coins) any easier, as I still need the individual GetScriptForDestination
calls dependend on the locking script type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have to admit that I'm lacking knowledge here about the concrete differences between FillableSigningProvider and FlatSigningProvider, especially about the possible benefits of the latter in this PR.
FillableSigningProvider
is just the legacy class and contains legacy scripts limitations (thus #28307). It does not affect the current form of this PR but, because this benchmark uses segwit v0 and v1 outputs, it could cause issues in the future.
Is there anything more that could be changed? I don't see how it makes the derivation of the outpoint scriptPubKey (needed for the map of coins) any easier, as I still need the individual GetScriptForDestination calls dependend on the locking script type.
I never said that it was going to make derivation easier. I Just said that it will also save you an extra GetScriptForDestination
call per script.
diff --git a/src/bench/sign_transaction.cpp b/src/bench/sign_transaction.cpp
--- a/src/bench/sign_transaction.cpp (revision 90469c8b7c1cd1d88134f6837914552792cbef49)
+++ b/src/bench/sign_transaction.cpp (date 1706283907363)
@@ -23,15 +23,16 @@
{
ECC_Start();
- FillableSigningProvider keystore;
- std::vector<CScript> prev_spks;
+ FlatSigningProvider keystore;
// Create a bunch of keys / UTXOs to avoid signing with the same key repeatedly
for (int i = 0; i < 32; i++) {
CKey privkey;
privkey.MakeNewKey(/*fCompressed=*/true);
CPubKey pubkey = privkey.GetPubKey();
- keystore.AddKey(privkey);
+ CKeyID key_id = pubkey.GetID();
+ keystore.keys.emplace(key_id, privkey);
+ keystore.pubkeys.emplace(key_id, pubkey);
// Create specified locking script type
CScript prev_spk;
@@ -40,7 +41,7 @@
case InputType::P2TR: prev_spk = GetScriptForDestination(WitnessV1Taproot(XOnlyPubKey{pubkey})); break;
default: assert(false);
}
- prev_spks.push_back(prev_spk);
+ keystore.scripts.insert({CScriptID{prev_spk}, prev_spk});
}
// Simple 1-input tx with artificial outpoint
@@ -50,15 +51,16 @@
unsigned_tx.vin.emplace_back(prevout);
// Benchmark.
- int iter = 0;
+ auto it = keystore.scripts.begin();
bench.minEpochIterations(100).run([&] {
CMutableTransaction tx{unsigned_tx};
std::map<COutPoint, Coin> coins;
- CScript prev_spk = prev_spks[(iter++) % prev_spks.size()];
+ const CScript& prev_spk = it->second;
coins[prevout] = Coin(CTxOut(10000, prev_spk), /*nHeightIn=*/100, /*fCoinBaseIn=*/false);
std::map<int, bilingual_str> input_errors;
bool complete = SignTransaction(tx, &keystore, coins, SIGHASH_ALL, input_errors);
assert(complete);
+ if (++it == keystore.scripts.end()) it = keystore.scripts.begin();
});
ECC_Stop();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FillableSigningProvider is just the legacy class and contains legacy scripts limitations (thus #28307). It does not affect the current form of this PR but, because this benchmark uses segwit v0 and v1 outputs, it could cause issues in the future.
Ok, good to know.
I never said that it was going to make derivation easier. I Just said that it will also save you an extra GetScriptForDestination call per script.
Took me a while now to understand what exactly you mean, after looking deeper in what happens in FillableSigningProvider::AddKey()
and realizing that leads to an indirect GetScriptForDestination
call. I initially assumed that you talk about needing less GetScriptForDestination
calls directly in the benchmark preparation loop (i.e. "save" interpreted in the sense of less code from me, rather than less run-time overhead), which would have surprised me.
I'm still confused on why we would want/need to fill the .scripts
of the FlatSigningProvider though. Aren't those only relevant for spends where redeem scripts are involved, i.e. P2(W)SH? Your proposed patch uses the .scripts
map of the provider instead of an array to store the prev_spks
, but that map is never accessed inside SignTransaction
.
I've changed the PR to take use of FlatSigningProvider
(and GenerateRandomKey
for privkey instantiation, which wasn't available in master back then), but didn't fill the .scripts
map as it seems not necessary for the script types tested here.
90469c8
to
3a3ccf0
Compare
ACK 3a3ccf0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code ACK 3a3ccf0
🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the Possibly this is due to a silent merge conflict (the changes in this pull request being Leave a comment here, if you need help tracking down a confusing failure. |
`ProduceSignature` already calls `VerifyScript` internally as last step in order to check whether the signature data is complete. If and only if that is the case, the `complete` field of the `SignatureData` is set accordingly and there is no need then to verify the script after again, as we already know that it would succeed. This leads to a rough ~20% speed-up for `SignTransaction` for single-input ECDSA or Taproot inputs, according to the `SignTransaction{ECDSA,Taproot}` benchmarks.
3a3ccf0
to
fe92c15
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK fe92c15
This PR is a small performance improvement on the
SignTransaction
function, which is used mostly by the wallet (obviously) and thesignrawtransactionwithkey
RPC. The lower-level functionProduceSignature
already callsVerifyScript
internally as last step in order to check whether the signature data is complete:bitcoin/src/script/sign.cpp
Lines 568 to 570 in daa56f7
If and only if that is the case, the
complete
field of theSignatureData
is set totrue
accordingly and there is no need then to verify the script after again, as we already know that it would succeed.This leads to a rough ~20% speed-up for
SignTransaction
for single-input ECDSA or Taproot transactions, according to the newly introducedSignTransaction{ECDSA,Taproot}
benchmarks:without commit 18185f4:
SignTransactionECDSA
SignTransactionSchnorr
with commit 18185f4:
SignTransactionECDSA
SignTransactionSchnorr
Note that there are already signing benchmarks in the secp256k1 library, but
SignTransaction
does much more than just the cryptographical parts, i.e.:PrecomputedTransactionData
if necessaryVerifyScript
(more than once currently, which is fixed by this PR)so it probably makes sense to also have benchmarks from that higher-level application perspective.