feat: stabilize alt_bn128 familiy of host functions

[matklad]

Feature to stabilize

This PR stabilizes three host functions: alt_bn128_g1_multiexp, alt_bn128_g1_sum, alt_bn128_pairing_check. They implement addition, scalar multiplication, and pairing check for a specific elliptic curve used in the ethereum ecosystem (eip-196).

Testing and QA

This feature underwent extensive testing:

• we had several audits
• aurora impements ethereum precompiles on top of these host functions, and those precompiles pass ethereum tests
• this PR adds a couple more tests generating using the implementation used in go-ethereum.
• we verified our costs against costs in ethereum, they are roughly comparable in terms of wall-clock time

Pre-mortem

The biggest risk I see is that we are not experts in elliptic curve crypto, so it's hard to judge if the API overall makes sense. Maybe it could be more general, maybe there are better curves, etc. However, it does fit aurora use-case and, given that the impl here is rather straightforward, even if we change something in the future, keeping the current functions won't be too onerous.

Checklist

• Link to nightly nayduck run: https://nayduck.near.org/#/run/2510
• Update CHANGELOG.md to include this protocol feature in the Unreleased section.

[jakmeier]

I have some problems understanding why this is changed. Can you explain it to me please?
For one, it seems counter-intuitive that arbitrary_contract now returns not the standard test contract. I would have thought that a caller that specifically asks for "arbitrary" is able to handle any contract, so the standard contract should be good enough.
Further, I don't really see how this relates to the feature being stabilized here. Is it to avoid testing the change in test_wasmer2_artifact_output_stability? Why wouldn't we want to test that?

[matklad]

We rely on arbitrary_contact being deterministic, as we use it our artifact stability test here:

nearcore/runtime/near-vm-runner/src/tests/cache.rs

Line 100 in b7e844a

fn test_wasmer2_artifact_output_stability() {

rs_contract may grow new imports over time.

[jakmeier]

That explains why we are doing it. But doesn't it change the semantics of arbitrary_contract to an extent that we should rename the function and change the comment on it? (I think we only call it from this test, which relies on contract properties making it non-arbitrary)

[mina86]

I’m confused as well. What does ‘arbitrary_contact being deterministic,’ mean here? There is no guarantee that base_rs_contract will not be changed in the future.

[matklad]

The only thing that matters here is the imports of the base_rs_contract, and those are unlikely to change (b/c adding import is a protocol change).

We could rename it to arbitrary_deterministic_contract, or add a comment explaining how we rely on it being deterministic, but I'd rather not do this. Today, we have a single call-site for this function, and its seems to early to enshrine a specific semantics here. Maybe we'd want to just move this function from common library to that test!

[jakmeier]

Ok, thanks for explaining. Moving it to the test would probably make sense, yeah. But it doesn't make a big difference. The signature of arbitrary_contract, to which I count the name itself, too, is still awkward to me.
But I feel it does not matter that much. I was only worried that we are adding a tiny bit of technical debt here but IMO it's not worth the time spent on further discussions. :)

[PandaRR007]

Hi guys, will this feature be included in release 1.27.0? Thanks.

[matklad]

@PandaRR007 I think it will be!

[PandaRR007]

@PandaRR007 I think it will be!

Good news. I'm looking forward to it.

[mina86]

Hi guys, will this feature be included in release 1.27.0? Thanks.

It most likely won’t. The current policy is that we cut a release a week before the testnet release which happens next Wednesday. In other words only things which were in master on 18th will be included in 1.27.0-rc.1 and no new futures come in during -rc cycle.

[mina86]

55, and you’ll also need to increase STABLE_PROTOCOL_VERSION.

[matklad]

Good catch! I see that now we "jump" over versions 52 and 54, in a sense that these versions won't have any protocol features associated with them. How does this happen? Intuitively it seems that, to make a protocol change, we should have ProtocolFeature, so that we can apply old logic for old protocol versions.

[mina86]

54 is a network layer protocol change when @pompon0 added protobuf support so it doesn’t affect the chain itself. We probably should decouple the two versions at some point. Though with protobufs it might be easier not to worry about network layer protocol version that much.

[mina86]

I’m confused as well. What does ‘arbitrary_contact being deterministic,’ mean here? There is no guarantee that base_rs_contract will not be changed in the future.

[mina86]

Why FIXME? Can’t we just do it now? If bare_wasm is ≥ 10240 than just cp -- test_contract.wasm stable_small_cotract.wasm and we can go on with our lives.

[matklad]

If bare_wasm is ≥ 10240 than just cp -- test_contract.wasm stable_small_cotract.wasm and we can go on with our lives.

The contract will then be bigger than 10KiB, but the current code is written as if it being exactly 10KiB matters.

Ultimately, I suspect that this whole file is mostly dead code at this point, but I'd rather not deal with it during stabilization PR.

[jakmeier]

Yeah please do not change it in this PR. The estimator uses the sizes. Eventhough it doesn't rely on it being exact, I would still want to check that and a stabilization PR is not the right place for such a change anyway.

[jakmeier]

Approving to stabilise this, LGTM. I am happy to see this moving forward! Too bad we will have to wait for another cycle, I did not have the 1 week on my radar...

(Second approval is also required although not enforced by GH.)

[mina86]

I did not have the 1 week on my radar...

Yeah, it’s a new policy. What has been happening so far is that on the day of the release we would scramble to make the cut and then test things before pushing testnet release which wasn’t ideal.

[matklad]

Test failure is interesting:

[2022-05-24 12:35:35] INFO: Got protocol 53 in mainnet release 1.26.0.
[2022-05-24 12:35:35] INFO: Got protocol 53 in testnet release 1.26.0-rc.3.
[2022-05-24 12:35:35] INFO: Got protocol 55 on master branch.

This is probably a side-effect of our time-based protocol upgrade process?

[mina86]

I was afraid upgradable.py might be an issue. The time-based upgrades aren’t an issue here. The test compares versions that --version outputs. The problem in this instance is that 1.27.0-rc.1 with version 54 hasn’t been released yet and the test doesn’t understand that upcoming 1.27.0-rc.1 will use protocol version 54. I think at this point the easiest solution is to wait till Wednesday evening or Thursday once 1.27.0 rolls out and then the test will see 53 on mainnet, 54 on testnet and will allow 55 on master.

[matklad]

sgtm!

[matklad]

@mina86 PTAL!

[mina86]

I’m confused by formatting in this file. Sometimes the data is on separate line, sometimes the whole thing is a single line. Commas also seem to be used arbitrarily. Furthermore, I’d wrap all the buffers at the space. It’s probably too much noise to change it all though so whatever.

[mina86]

Looks like we want to change this to use insta as well at some point?

[matklad]

Yeah, we probably should, though, this shouldn't be changing all that often (this change is particular is because I adjusted the infra to be more stable, not because this is a genuine change).

[frol]

DISCLAIMER: I just ask it out of curiosity, so feel free to ignore it if you don't have the time to answer.

@matklad I am quite late to the party, but I am curious whether we measured the performance of these host functions vs Wasm implementation. It sounds quite unfortunate that we need to have host functions to optimize number crunching performance as Wasm by design supposedly should have covered us here.

P.S. It would be helpful to have link(s) to the PRs that implemented this as a nightly feature to see potential discussions there

[matklad]

P.S. It would be helpful to have link(s) to the PRs that implemented this as a nightly feature to see potential discussions there

Good call, #7288

I am quite late to the party, but I am curious whether we measured the performance of these host functions vs Wasm implementation.

There are two questions here:

• what is the perf gap between native and our particular WebAssembly runtime (optimized for reliability)
• what is the perf gap between native and a WebAssembly runtime optimized performance

For 1, I can't recall super-specific numbers, but I think we did measure a massive cost reduction. To get specific number, you want to play with this test before/after commit locally:

birchmd/aurora-engine@fd4243b#diff-ed8b4fc612dfece459decfe0a47cf4079f5b3e3b7c29cc1f7c4e3be2b42d9b87

The test proves that host fn brought the cost under 200TGas. I don't know the exact difference, but my vague recollection is that was huge.

For 2, we didn't do any measurements, though I'd still expect a significant perf difference there.

Wasm by design supposedly should have covered us here.

My current gut feeling is that our wasm runtime provides non-horrible number crunching perf, but that it is expected to be significantly worse than what you get from a host function

Reasons specific to our WebAssembly runtime (reliability over perf):

• we have a simple non-optimizing single-pass compiler
• gas-counting is non-trivial overhead
• we don't support certain perf-oriented wasm extensions, eg. SIMD. Note that even if we did support SIMD, there would be a perf penalty for more complicated gas accounting.
• with a wasm impl, the cost is pessimistic -- even if particular hash function runs fast in WebAssembly, we have to pessimistically estimate it (we use worst-case cost for WebAssembly instruction). For a host function, we estimate a fixed computation, so we don't need to be pessimistic across this dimension.

Reasons general to WebAssembly:

• At the moment, WebAssembly generally doesn't expose performance-oriented CPU instructions like fused multiply-add or add-with-carry. My intuition here is that WebAssembly is 2X slower for run-of-the-mill code (pointer chaising, conditions) and 20X slower for really hot code, something you traditionally write in asm (codecs, crypto, interpreters).

[akhi3030]

As a related data point, in https://gov.near.org/t/near-polkadot-using-ibc-trustless-bridging-requests/22807/5, @blasrodri benchmarked the performance difference between wasm and native execution for some signature verification. More specifically they showed that native execution can be much faster.

[robert-zaremba]

alt_bn128 is from being fast (in 2022). And there are some security concerns.

In the meantime, many most of the projects opted in BLS12-381. Now, I think the most exciting is Pasta (halo2). Would be great to consider them as well.