EIP-152: Blake2b F precompile
#2129
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also added myself as an author
Should have a working geth precompile and initial benchmarks shortly
While 2046's cheaper precompile contract calls aren't a requirement for this EIP's implementation, shipping this precompile without EIP-2046 would make the F function expensive for some of the motivating usecases.
Replace the existing ABI encoding interface to the BLAKE2b `F` precompile with a loosely pack struct that's `staticcall`-friendly. H/t to @pdyraga for putting together the interface!
Let's not relitigate precompiles, WASM, etc in thie EIP :)
If a conflicting EIP is moving forward the EIP editor can assign a new address
|
This supersedes our internal PR, which has some initial discussion. |
|
Initial implementation with benchmarks is at keep-network/go-ethereum#4 🎉
|
prestwich
reviewed
Jun 21, 2019
Contributing docs suggest EIPs be named `eip-draft-with-a-title` until an editor has been assigned, but discussing this work off-platform without a number is a problem. Assigning 152 as the issue number where the `F` precompile was originally raised (ethereum#152)
pdyraga
reviewed
Jun 21, 2019
|
I suggest closing this EIP at the same time #2136 is merged |
holiman
reviewed
Jun 24, 2019
holiman
reviewed
Jun 24, 2019
holiman
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Jun 24, 2019
axic
reviewed
Aug 16, 2019
axic
reviewed
Aug 16, 2019
|
@axic I've pinged a few folks from ZCash last week to take a look at the test vectors. If we can, let's wait for 2-3 days before merging. |
|
I'm curious about the
However, running it with In this case, what is the relation between the input state and the output state? EDIT: It appears that the output if rounds == zero (regardless of input) always becomes the |
|
Pantheon got the same result for 213 zeros. Added to my tests PR, along with zero length array and moving 8 million rounds (a more realistic max rounds) out of time consuming tests. |
|
@holiman I do agree this may be not very intuitive but this is how |
|
At this point, there is nothing to add here on my side. I'd recommend merging this PR if we all agree on it. |
|
Looks good to me. |
6 tasks
|
Something blocking merging this, @axic ? |
axic
approved these changes
Aug 22, 2019
|
I think this is fine for merging. I'll open my comments on the discussion URL. |
ilanolkies
pushed a commit
to ilanolkies/EIPs
that referenced
this pull request
Nov 12, 2019
* Brought issue ethereum#152 into the repo as a draft EIP. Thanks @tjade273! * Make the draft EIP consistent with the template Also added myself as an author * Break backwards compatibility into its own section * Added notes about the in-progress implementation Should have a working geth precompile and initial benchmarks shortly * Specify EIP-2046 as a requirement While 2046's cheaper precompile contract calls aren't a requirement for this EIP's implementation, shipping this precompile without EIP-2046 would make the F function expensive for some of the motivating usecases. * Don't use ABI encoding for precompile Replace the existing ABI encoding interface to the BLAKE2b `F` precompile with a loosely pack struct that's `staticcall`-friendly. H/t to @pdyraga for putting together the interface! * Add @pdyraga to the EIP authors. * Remove less relevant EIP rationale Let's not relitigate precompiles, WASM, etc in thie EIP :) * Use 0x09 as the precompile address If a conflicting EIP is moving forward the EIP editor can assign a new address * Choosing an EIP number Contributing docs suggest EIPs be named `eip-draft-with-a-title` until an editor has been assigned, but discussing this work off-platform without a number is a problem. Assigning 152 as the issue number where the `F` precompile was originally raised (ethereum#152) * Add a missing colon Thanks @axic 🙌 * Spelling updates * Add @MadeofTin to the authors list * Prefer the original issue for discussion * Clarify the precompile's initial implementation * Make the precompile return value clear * Clean up references wording * More rationale around this BLAKE2b approach * Fix a couple misspellings * Updated the interface for F precompile - F precompile accepts now `abi.encodePacked` parameters taking exactly 213 bytes. This is safer and does not require left-padding data - `rounds` parameter is now the first one as the gas cost depends only on this parameter * Updated gas cost section proposing GFROUND=1 * Detailed benchmarks moved to appendix section * Benchmark stats are compared against ecRecover as a baseline * Clarification: f parameter is true if it is nonzero This rule is compatible with Solidity for boolean. * Avoid referring to abi.encodePacked The specification should not be Solidity-specific. Instead of referring to abi.encodePacked we now just say "tightly encoded". * Fixed incorrect link "specified in the RFC" linked to the geth PR for F precompile instead of linking to the BLAKE2b RFC. * Shortened the description about when parameter f is considered as true * Minor grammar improvement * Updated information about endianness of F precompile inputs BLAKE2b is consistently little-endian. abi.encodePacked encodes each of its arguments in big-endian order. We need to be clear which parameters should go as little-endian (h, m, t) and which parameters should go as big-endian (rounds, f). * Strict validation of f parameter * Initial test vectors for F precompile Test cases covered: - input length too short - input length too long - malformed f flag encoding - correct input, test vector from BLAKE2b RFC, Appendix A * Test vector for a non-final round * Test vector for the maximum number of rounds * Test vector for a single round * Added test vector for empty input * The final block indicator (8-bit word) does not have endianness * Clarify state vector encoding does not change in the output * Put too short input test vector next to empty input test vector * Added test vector for zero-rounds BLAKE2b case
MadeofTin
pushed a commit
to MadeofTin/EIPs
that referenced
this pull request
Nov 13, 2019
* Brought issue ethereum#152 into the repo as a draft EIP. Thanks @tjade273! * Make the draft EIP consistent with the template Also added myself as an author * Break backwards compatibility into its own section * Added notes about the in-progress implementation Should have a working geth precompile and initial benchmarks shortly * Specify EIP-2046 as a requirement While 2046's cheaper precompile contract calls aren't a requirement for this EIP's implementation, shipping this precompile without EIP-2046 would make the F function expensive for some of the motivating usecases. * Don't use ABI encoding for precompile Replace the existing ABI encoding interface to the BLAKE2b `F` precompile with a loosely pack struct that's `staticcall`-friendly. H/t to @pdyraga for putting together the interface! * Add @pdyraga to the EIP authors. * Remove less relevant EIP rationale Let's not relitigate precompiles, WASM, etc in thie EIP :) * Use 0x09 as the precompile address If a conflicting EIP is moving forward the EIP editor can assign a new address * Choosing an EIP number Contributing docs suggest EIPs be named `eip-draft-with-a-title` until an editor has been assigned, but discussing this work off-platform without a number is a problem. Assigning 152 as the issue number where the `F` precompile was originally raised (ethereum#152) * Add a missing colon Thanks @axic 🙌 * Spelling updates * Add @MadeofTin to the authors list * Prefer the original issue for discussion * Clarify the precompile's initial implementation * Make the precompile return value clear * Clean up references wording * More rationale around this BLAKE2b approach * Fix a couple misspellings * Updated the interface for F precompile - F precompile accepts now `abi.encodePacked` parameters taking exactly 213 bytes. This is safer and does not require left-padding data - `rounds` parameter is now the first one as the gas cost depends only on this parameter * Updated gas cost section proposing GFROUND=1 * Detailed benchmarks moved to appendix section * Benchmark stats are compared against ecRecover as a baseline * Clarification: f parameter is true if it is nonzero This rule is compatible with Solidity for boolean. * Avoid referring to abi.encodePacked The specification should not be Solidity-specific. Instead of referring to abi.encodePacked we now just say "tightly encoded". * Fixed incorrect link "specified in the RFC" linked to the geth PR for F precompile instead of linking to the BLAKE2b RFC. * Shortened the description about when parameter f is considered as true * Minor grammar improvement * Updated information about endianness of F precompile inputs BLAKE2b is consistently little-endian. abi.encodePacked encodes each of its arguments in big-endian order. We need to be clear which parameters should go as little-endian (h, m, t) and which parameters should go as big-endian (rounds, f). * Strict validation of f parameter * Initial test vectors for F precompile Test cases covered: - input length too short - input length too long - malformed f flag encoding - correct input, test vector from BLAKE2b RFC, Appendix A * Test vector for a non-final round * Test vector for the maximum number of rounds * Test vector for a single round * Added test vector for empty input * The final block indicator (8-bit word) does not have endianness * Clarify state vector encoding does not change in the output * Put too short input test vector next to empty input test vector * Added test vector for zero-rounds BLAKE2b case
BelfordZ
pushed a commit
to BelfordZ/EIPs
that referenced
this pull request
Dec 13, 2019
* Brought issue ethereum#152 into the repo as a draft EIP. Thanks @tjade273! * Make the draft EIP consistent with the template Also added myself as an author * Break backwards compatibility into its own section * Added notes about the in-progress implementation Should have a working geth precompile and initial benchmarks shortly * Specify EIP-2046 as a requirement While 2046's cheaper precompile contract calls aren't a requirement for this EIP's implementation, shipping this precompile without EIP-2046 would make the F function expensive for some of the motivating usecases. * Don't use ABI encoding for precompile Replace the existing ABI encoding interface to the BLAKE2b `F` precompile with a loosely pack struct that's `staticcall`-friendly. H/t to @pdyraga for putting together the interface! * Add @pdyraga to the EIP authors. * Remove less relevant EIP rationale Let's not relitigate precompiles, WASM, etc in thie EIP :) * Use 0x09 as the precompile address If a conflicting EIP is moving forward the EIP editor can assign a new address * Choosing an EIP number Contributing docs suggest EIPs be named `eip-draft-with-a-title` until an editor has been assigned, but discussing this work off-platform without a number is a problem. Assigning 152 as the issue number where the `F` precompile was originally raised (ethereum#152) * Add a missing colon Thanks @axic 🙌 * Spelling updates * Add @MadeofTin to the authors list * Prefer the original issue for discussion * Clarify the precompile's initial implementation * Make the precompile return value clear * Clean up references wording * More rationale around this BLAKE2b approach * Fix a couple misspellings * Updated the interface for F precompile - F precompile accepts now `abi.encodePacked` parameters taking exactly 213 bytes. This is safer and does not require left-padding data - `rounds` parameter is now the first one as the gas cost depends only on this parameter * Updated gas cost section proposing GFROUND=1 * Detailed benchmarks moved to appendix section * Benchmark stats are compared against ecRecover as a baseline * Clarification: f parameter is true if it is nonzero This rule is compatible with Solidity for boolean. * Avoid referring to abi.encodePacked The specification should not be Solidity-specific. Instead of referring to abi.encodePacked we now just say "tightly encoded". * Fixed incorrect link "specified in the RFC" linked to the geth PR for F precompile instead of linking to the BLAKE2b RFC. * Shortened the description about when parameter f is considered as true * Minor grammar improvement * Updated information about endianness of F precompile inputs BLAKE2b is consistently little-endian. abi.encodePacked encodes each of its arguments in big-endian order. We need to be clear which parameters should go as little-endian (h, m, t) and which parameters should go as big-endian (rounds, f). * Strict validation of f parameter * Initial test vectors for F precompile Test cases covered: - input length too short - input length too long - malformed f flag encoding - correct input, test vector from BLAKE2b RFC, Appendix A * Test vector for a non-final round * Test vector for the maximum number of rounds * Test vector for a single round * Added test vector for empty input * The final block indicator (8-bit word) does not have endianness * Clarify state vector encoding does not change in the output * Put too short input test vector next to empty input test vector * Added test vector for zero-rounds BLAKE2b case
tkstanczak
pushed a commit
to tkstanczak/EIPs
that referenced
this pull request
Nov 7, 2020
* Brought issue ethereum#152 into the repo as a draft EIP. Thanks @tjade273! * Make the draft EIP consistent with the template Also added myself as an author * Break backwards compatibility into its own section * Added notes about the in-progress implementation Should have a working geth precompile and initial benchmarks shortly * Specify EIP-2046 as a requirement While 2046's cheaper precompile contract calls aren't a requirement for this EIP's implementation, shipping this precompile without EIP-2046 would make the F function expensive for some of the motivating usecases. * Don't use ABI encoding for precompile Replace the existing ABI encoding interface to the BLAKE2b `F` precompile with a loosely pack struct that's `staticcall`-friendly. H/t to @pdyraga for putting together the interface! * Add @pdyraga to the EIP authors. * Remove less relevant EIP rationale Let's not relitigate precompiles, WASM, etc in thie EIP :) * Use 0x09 as the precompile address If a conflicting EIP is moving forward the EIP editor can assign a new address * Choosing an EIP number Contributing docs suggest EIPs be named `eip-draft-with-a-title` until an editor has been assigned, but discussing this work off-platform without a number is a problem. Assigning 152 as the issue number where the `F` precompile was originally raised (ethereum#152) * Add a missing colon Thanks @axic 🙌 * Spelling updates * Add @MadeofTin to the authors list * Prefer the original issue for discussion * Clarify the precompile's initial implementation * Make the precompile return value clear * Clean up references wording * More rationale around this BLAKE2b approach * Fix a couple misspellings * Updated the interface for F precompile - F precompile accepts now `abi.encodePacked` parameters taking exactly 213 bytes. This is safer and does not require left-padding data - `rounds` parameter is now the first one as the gas cost depends only on this parameter * Updated gas cost section proposing GFROUND=1 * Detailed benchmarks moved to appendix section * Benchmark stats are compared against ecRecover as a baseline * Clarification: f parameter is true if it is nonzero This rule is compatible with Solidity for boolean. * Avoid referring to abi.encodePacked The specification should not be Solidity-specific. Instead of referring to abi.encodePacked we now just say "tightly encoded". * Fixed incorrect link "specified in the RFC" linked to the geth PR for F precompile instead of linking to the BLAKE2b RFC. * Shortened the description about when parameter f is considered as true * Minor grammar improvement * Updated information about endianness of F precompile inputs BLAKE2b is consistently little-endian. abi.encodePacked encodes each of its arguments in big-endian order. We need to be clear which parameters should go as little-endian (h, m, t) and which parameters should go as big-endian (rounds, f). * Strict validation of f parameter * Initial test vectors for F precompile Test cases covered: - input length too short - input length too long - malformed f flag encoding - correct input, test vector from BLAKE2b RFC, Appendix A * Test vector for a non-final round * Test vector for the maximum number of rounds * Test vector for a single round * Added test vector for empty input * The final block indicator (8-bit word) does not have endianness * Clarify state vector encoding does not change in the output * Put too short input test vector next to empty input test vector * Added test vector for zero-rounds BLAKE2b case
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adapt #152 into a proper EIP, including an initial implementation and simple benchmarks.
After discussion with the most recent EIP authors and the Zcash team, we've decided to pursue a direct BLAKE2b
Fprecompile rather than focus on improving EIP-131. While EIP-131 is a bit more friendly to application developers, it isn't a flexible enough approach to bring BLAKE2b to the EVM and should be considered a nice-to-have.Appreciate the support of @MadeofTin @zookozcash @daira @str4d @prestwich in getting to this approach, and of course @pdyraga for his initial implementation.