EIP-2666: Repricing of precompiles and Keccak256 function


Metadata
Status: StagnantStandards Track: CoreCreated: 2020-05-22
Authors
Alex Vlasov (@shamatar)

Simple Summary


This EIP tries to set prices of certain precompiles and built-in EVM function to be in line with their performance, consumed resources and newer changes in EVM itself.

New price formulas are proposed for:

  • SHA256 precompile (0x02)
  • RIPEMD precompile (0x03)
  • KECCAK256 opcode (0x20)

Abstract


Costs of many precompiles and built-in functions are invalid at the current state of the clients. This EIP contains a list of changes to the pricing formulas to better reflect underlying computations' structure.

Motivation


Historical pricing for these functions in EVM does not reflect inner structure of the underlying computations (inner structure of the hash functions).

  • EIP-2046 changes a STATICCALL (0xfa) cost to precompile and it may be necessary to adjust costs of some precompiles that may have taken old large cost (700 gas) into account and tried to compensate for it
  • Some precompiles are overpriced and their pricing formulas do not reflect the structure of underlying functions
  • Keccak256 built-in function (opcode) in EVM has pricing that does not reflect underlying hash function structure

Specification


If block_number >= X set the gas cost of the following precompiles and Keccak256 opcode:

  • SHA256 (precompile 0x02): 10 + ((len(input) + 8)/64 + 1) * 9
  • RIPEMD (precompile 0x03): 6 + ((len(input) + 8)/64 + 1) * 12
  • KECCAK256 (0x20): 13 + (len(input)/136 + 1)*15

This EIP ideally requires that MODEXP repricing is implemented to also accurately reflect that there is no implicit compensation for an old STATICCALL (0xfa) cost (pre-2046).

Rationale


Cost of functions being executed must accurately reflect real CPU time spent on computations, so benchmarking was performed for current precompiles and Keccak256 function to measure running time versus input parameters.

Detailed summary of repricing approach

This EIP relies on two facts:

  • apriori knowledge of the inner strucute of the hash functions
  • benchmarks provided by the client teams for some reasonable range of input lengths for random inputs (random byte strings of a given length)

Benchmarks on the most popular clients

Necessary benchmarks for EIP-2666 were provided by the clients and raw form is assembled in here

  • SHA256 precompile

Currently it's 60 gas + 12 gas per 32 byte word (number of words is ceil(len(input)/word_len) here and in similar places. If there is no floor or ceil specifier all divisions below are integer divisions (floor divisions)). Proposed formula is A * ((len(input) + 8) / 64 + 1) + B, with coefficients below

AB
Geth53
OE94
Besu510
Nethermind105

EIP-2666 proposes A = 9, B = 10. There are no large one-off costs in this precompile, so it's EIP-2046 - safe.

  • RIPEMD precompile

Currently it's 600 gas + 120 gas per 32 byte word. Proposed formula is A * ((len(input) + 8) / 64 + 1) + B, with coefficients below

AB
Geth126
OE82
Besu2916
Nethermind106

EIP-2666 proposes A = 12, B = 6. There are no large one-off costs in this precompile, so it's EIP-2046 - safe. Besu expects to have performance improvements by the end of the year.

  • Keccak256 performance

Currently it's 30 gas + 6 gas per 32 byte word. Proposed formula is A * (len(input) / 136 + 1) + B, with coefficients below

AB
Geth1313
OE152
Besu1928
Nethermind163

EIP-2666 proposes A = 15, B = 13. There are no large one-off costs in this precompile, so it's EIP-2046 - safe. Besu expects to have performance improvements by the end of the year.

Tooling and data

Reference material (from benchmarks of different clients) with raw data can be found here.

There is a repository available with inputs for benchmarking and precompiles testing here that can be used by client teams to perform all the necessary measurements.

Raw Besu benchmarks.

Note on formulas structure

There are terms in formulas that look like A * 1 and those are explicitly not combined to the B coefficient to reflect that hash of an empty byte array requires to perform a round of hashing anyway.

Backwards Compatibility


Precompile repricings has happened in a past and can be considered standard procedure. Gas costs of many contracts is expected to reduce that may break re-entrancy protection measures based on fixed gas costs. In any case, such protection should have never been considered good and final.

Test Cases


Let's consider a simple example of Keccak256 hash of 0, 64 and 160 bytes that can is a simple sanity check for implementation.

  • Hash 0 bytes:
    • Old price: 30 + 6 * ceil(0 / 32) = 30 gas
    • New price: 15 * (0/136 + 1) + 13 = 28 gas
  • Hash 64 bytes
    • Old price: 30 + 6 * ceil(64 / 32) = 42 gas
    • New price: 15 * (64/136 + 1) + 13 = 28 gas
  • Hash 160 bytes
    • Old price: 30 + 6 * ceil(160 / 32) = 60 gas
    • New price: 15 * (160/136 + 1) + 13 = 43 gas

Implementation


There is no reference implementation at the time of writing as it requires just a simple change of constants in major clients.

Security Considerations


As described in backward compatibility section in some cases reduction of cost may allow e.g. re-entrancy that was not expected before, but we think that re-entrancy protection based on fixed gas costs is anyway flawed design decision.

Copyright


Copyright and related rights waived via CC0.