Edmund/continue poseidon

[edmundnoble]

This PR supersedes #1274.

Remaining work: check test vectors, check gas.
Edit: both done.

The performance improvements in this PR go from this:

defaultMain [bench "poseidon" $ whnf poseidon [1,2,3,4,5,6,7,8]]
benchmarking poseidon
time                 1.696 ms   (1.686 ms .. 1.710 ms)
                     0.999 R²   (0.999 R² .. 1.000 R²)
mean                 1.704 ms   (1.695 ms .. 1.722 ms)
std dev              41.47 μs   (25.65 μs .. 74.70 μs)
variance introduced by outliers: 13% (moderately inflated)

to this:

defaultMain [bench "poseidon" $ whnf poseidon [1,2,3,4,5,6,7,8]]
benchmarking poseidon
time                 1.222 ms   (1.215 ms .. 1.230 ms)
                     0.999 R²   (0.999 R² .. 1.000 R²)
mean                 1.222 ms   (1.212 ms .. 1.244 ms)
std dev              49.37 μs   (21.97 μs .. 99.33 μs)

and from this:

defaultMain [bench "poseidon" $ whnf poseidon [1,2]]
benchmarking poseidon
time                 182.7 μs   (182.1 μs .. 183.3 μs)
                     1.000 R²   (1.000 R² .. 1.000 R²)
mean                 182.0 μs   (181.2 μs .. 182.7 μs)
std dev              2.628 μs   (2.202 μs .. 3.368 μs)

to this:

defaultMain [bench "poseidon" $ whnf poseidon [1,2]]
benchmarking poseidon
time                 159.5 μs   (155.2 μs .. 164.8 μs)
                     0.996 R²   (0.993 R² .. 0.999 R²)
mean                 155.5 μs   (153.7 μs .. 157.8 μs)
std dev              6.763 μs   (5.227 μs .. 10.27 μs)
variance introduced by outliers: 43% (moderately inflated)

PR checklist:

• Test coverage for the proposed changes
• PR description contains example output from repl interaction or a snippet from unit test output
• Documentation has been updated if new natives or FV properties have been added. To generate new documentation, issue cabal run tests. If they pass locally, docs are generated.
• Any changes that could be relevant to users have been recorded in the changelog
• In case of changes to the Pact trace output (pact -t), make sure pact-lsp is in sync.

Additionally, please justify why you should or should not do the following:

• Confirm replay/back compat
• Benchmark regressions
• (For Kadena engineers) Run integration-tests against a Chainweb built with this version of Pact

[edmundnoble]

Gas graph:

The actual inputs don't affect the time taken to compute the hash from what I can tell, only the number of them, so that's the X axis. The Y axis is micros * 2.5, i.e. gas as a unit of time.

[emilypi]

Looking good so far

[emilypi]

This is non-idiomatic of the way we write native docs. There's no need to intro this now.

[edmundnoble]

Let me know if the new version is idiomatic.

[0xd34df00d]

My group theory is rusty, but can you do mod just once after all the multiplications?

[jwiegley]

I tried some basic tests and that seems to hold true:

module Main where

modulus :: Integer
modulus = 53

mulmod :: Integer -> Integer -> Integer
mulmod a b = (a * b) `mod` modulus

sig :: Integer -> Integer
sig inVal =
  let in2 = mulmod inVal inVal
      in4 = mulmod in2 in2
  in mulmod in4 inVal

mulmod2:: Integer -> Integer -> Integer
mulmod2 a b = (a * b)

sig2 :: Integer -> Integer
sig2 inVal =
  let in2 = mulmod2 inVal inVal
      in4 = mulmod2 in2 in2
  in mulmod2 in4 inVal `mod` modulus

main :: IO ()
main = do
    print $ sig 123
    print $ sig 456
    print $ sig 789
    print $ sig2 123
    print $ sig2 456
    print $ sig2 789

[0xd34df00d]

Alright, I grabbed a pen and paper today! So the question effectively is whether ab mod n = (a mod n) × (b mod n) mod n. Let's use brute force and assume a = k₁n + r₁, b = k₂n + r₂ (with the usual conditions of r₁, r₂ < n). Then:

ab mod n = (...) × n + r₁r₂ mod n = r₁r₂ mod n

while for the rhs

(a mod n) × (b mod n) mod n = r₁r₂ mod n

so that clearly holds, and mod can happen just once. That is assuming nothing funny happens wrt negative signs here and haskell mod behaves like math mod (which IIRC it does).

[edmundnoble]

Thanks Georg, worth a try.

Just tried it, it's not any faster according to my benchmark to do

(inVal ^ 5) `mod` modulus

than to do what we're doing now. I think that's what you were suggesting.

[0xd34df00d]

Yep, that was it.

Well, perhaps it's not that much of a hotspot then! Up to you what expression to keep, although I'd probably vote for inVal ^ 5 — this way it's more obvious what's happening.

[jmcardon]

I think sig is just strangely named (due a the paper reference impl maybe?).

That said (inVal ^ 5) if the ^ implementation isn't applying modulo may be significantly slower because of the size the integers can grow. The modulus is quite a large prime, so there are numbers quite large there.

[edmundnoble]

Here's where exactly the constants came from: https://github.com/iden3/circomlibjs/blob/main/src/poseidon_constants.js. I've patched the PR to use the exact same constants (in hex, just like they do it) so it's easier to compare. I have verified by hand that the output for these test vectors matches the output from https://github.com/iden3/circomlibjs/blob/main/src/poseidon_reference.js.

[imalsogreg]

Looks fantastic!

• Ran it locally in repl, outputs look reasonable
• Rejects some bad arguments as expected
• Unit tests look good
• Gas tests look good
• Gas analysis matches the benchmarks
• Repl complains when DisablePact410

[jmcardon]

This constant is in our ZK impl as well. I wonder whether we want a common place for it.

[jmcardon]

sig is just a^5 mod n, is the name due to the reference impl?

[edmundnoble]

Yes I think.

[jmcardon]

ark = summod ?

[edmundnoble]

Yeah I kept the names just in case this makes it easier to compare to the ref. impl.

[jmcardon]

I think sig is just strangely named (due a the paper reference impl maybe?).

That said (inVal ^ 5) if the ^ implementation isn't applying modulo may be significantly slower because of the size the integers can grow. The modulus is quite a large prime, so there are numbers quite large there.

[jmcardon]

Same amount Kobe and Shaq have combined.

[jmcardon]

error here worries me ever so slightly, only since the function spits out package hashes.

[edmundnoble]

We never get to this point anyway, because of the case in poseidonDef. But I can replace this with a bespoke exception type if you'd prefer.

[jmcardon]

Should be okay 👍