fixup gas charging and add benchmarks

It turns out our numbers mostly don't change (except that our hashing
times are now in-line with normal sha256 times...).

Author: Stebalien

fvm/src/gas/price_list.rs

@@ -7,7 +7,6 @@ use std::ops::Mul;
 
 use anyhow::Context;
 use fvm_shared::clock::ChainEpoch;
-use fvm_shared::crypto::signature::SignatureType;
 use fvm_shared::piece::PieceInfo;
 use fvm_shared::sector::{
     AggregateSealVerifyProofAndInfos, RegisteredPoStProof, RegisteredSealProof, ReplicaUpdateInfo,
@@ -102,19 +101,14 @@ lazy_static! {
         address_lookup: Gas::new(1_050_000),
         address_assignment: Gas::new(1_000_000),
 
-        sig_cost: total_enum_map!{
-            SignatureType {
-                Secp256k1 => ScalingCost {
-                    flat: Gas::new(1637292),
-                    scale: Gas::new(10),
-                },
-                BLS =>  ScalingCost{
-                    flat: Gas::new(16598605),
-                    scale: Gas::new(26),
-                },
-            }
-        },
         secp256k1_recover_cost: Gas::new(1637292),
+        bls_pairing_cost: Gas::new(8299302),
+        bls_hashing_cost: ScalingCost {
+            flat: Gas::zero(),
+            // TODO: Can we just use the "sha256" number below?
+            scale: Gas::new(7),
+        },
+
         hashing_cost: total_enum_map! {
             SupportedHashes {
                 Sha2_256 => ScalingCost {
@@ -398,12 +392,12 @@ pub struct PriceList {
     /// Storage gas cost for adding a new actor to the state tree.
     pub(crate) actor_create_storage: Gas,
 
-    /// Gas cost for verifying a cryptographic signature.
-    pub(crate) sig_cost: HashMap<SignatureType, ScalingCost>,
-
     /// Gas cost for recovering secp256k1 signer public key
     pub(crate) secp256k1_recover_cost: Gas,
 
+    pub(crate) bls_pairing_cost: Gas,
+    pub(crate) bls_hashing_cost: ScalingCost,
+
     pub(crate) hashing_cost: HashMap<SupportedHashes, ScalingCost>,
 
     /// Gas cost for walking up the chain.
@@ -577,39 +571,24 @@ impl PriceList {
         GasCharge::new("OnDeleteActor", Zero::zero(), Zero::zero())
     }
 
-    /// Returns gas required for signature verification.
-    #[inline]
-    pub fn on_verify_signature(&self, sig_type: SignatureType, data_len: usize) -> GasCharge {
-        let cost = self.sig_cost[&sig_type];
-        let gas = cost.apply(data_len);
-        GasCharge::new("OnVerifySignature", gas, Zero::zero())
-    }
-
     /// Returns gas required for BLS aggregate signature verification.
+    #[inline]
     pub fn on_verify_aggregate_signature(&self, num_sigs: usize, data_len: usize) -> GasCharge {
-        // TODO: the gas cost calculated below is only an estimate; its actual value is yet to be
-        // benchmarked.
-
         // When `num_sigs` BLS signatures are aggregated into a single signature, the aggregate
         // signature verifier must perform `num_sigs + 1` expensive pairing operations (one
         // pairing on the aggregate signature, and one pairing for each signed plaintext's digest).
         //
         // Note that `bls_signatures` rearranges the textbook verifier equation (containing
         // `num_sigs + 1` full pairings) into a more efficient equation containing `num_sigs + 1`
         // Miller loops and one final exponentiation.
-        let (num_pairings, data_len) = (num_sigs as u64 + 1, data_len as u64);
+        let num_pairings = num_sigs as u64 + 1;
 
-        let ScalingCost {
-            flat: gas_two_pairings,
-            scale: gas_per_byte,
-        } = self.sig_cost[&SignatureType::BLS];
-        let gas_one_pairing = gas_two_pairings.as_milligas() / 2;
-        let gas_pairings = num_pairings * gas_one_pairing;
-        let gas_hashing = data_len * gas_per_byte.as_milligas();
+        let gas_pairings = self.bls_pairing_cost * num_pairings;
+        let gas_hashing = self.bls_hashing_cost.apply(data_len);
 
         GasCharge::new(
-            "OnVerifySignature",
-            Gas::from_milligas(gas_pairings + gas_hashing),
+            "OnVerifyBlsAggregateSignature",
+            gas_pairings + gas_hashing,
             Zero::zero(),
         )
     }

testing/calibration/shared/src/lib.rs

@@ -1,6 +1,5 @@
 // Copyright 2021-2023 Protocol Labs
 // SPDX-License-Identifier: Apache-2.0, MIT
-use fvm_shared::address::Address;
 use fvm_shared::crypto::hash::SupportedHashes;
 use fvm_shared::event::Flags;
 use num_derive::FromPrimitive;
@@ -13,8 +12,8 @@ pub enum Method {
     OnHashing = 1,
     /// Put and get random data to measure `OnBlock*`.
     OnBlock,
-    /// Try (and fail) to verify random data with a public key and signature.
-    OnVerifySignature,
+    /// Try to validate BLS aggregates (correctly).
+    OnVerifyBlsAggregate,
     /// Try (and fail) to recovery a public key from a signature, using random data.
     OnRecoverSecpPublicKey,
     /// Measure sends
@@ -41,16 +40,11 @@ pub struct OnBlockParams {
 }
 
 #[derive(Serialize, Deserialize)]
-pub struct OnVerifySignatureParams {
+pub struct OnVerifyBlsAggregateParams {
     pub iterations: usize,
-    pub size: usize,
-    pub signer: Address,
-    /// A _valid_ signature over *something*, corresponding to the signature scheme
-    /// of the address. A completely random sequence of bytes for signature would be
-    /// immediately rejected by BLS, although not by Secp256k1. And we cannot generate
-    /// valid signatures inside the contract because the libs we use don't compile to Wasm.
     pub signature: Vec<u8>,
-    pub seed: u64,
+    pub keys: Vec<Vec<u8>>,
+    pub messages: Vec<Vec<u8>>,
 }
 
 #[derive(Serialize, Deserialize)]

testing/integration/tests/gas_calibration_test.rs

@@ -1,9 +1,9 @@
 // Copyright 2021-2023 Protocol Labs
 // SPDX-License-Identifier: Apache-2.0, MIT
 mod calibration;
-#[cfg(feature = "calibration")]
+//#[cfg(feature = "calibration")]
 use calibration::*;
-#[cfg(feature = "calibration")]
+//#[cfg(feature = "calibration")]
 use fvm_gas_calibration_shared::*;
 
 #[test]
@@ -375,71 +375,99 @@ fn on_send() {
 
 #[test]
 #[cfg(feature = "calibration")]
-fn on_verify_signature() {
+fn on_verify_bls_aggregate() {
     use bls_signatures::Serialize;
-    use fvm_shared::address::Address;
-    use fvm_shared::crypto::signature::SignatureType;
-    use rand::{thread_rng, Rng, RngCore};
-
-    const CHARGE_NAME: &str = "OnVerifySignature";
-    const METHOD: Method = Method::OnVerifySignature;
+    use rand::{thread_rng, RngCore};
 
-    let sig_types = vec![SignatureType::BLS, SignatureType::Secp256k1];
+    const CHARGE_NAME: &str = "OnVerifyBlsAggregateSignature";
+    const METHOD: Method = Method::OnVerifyBlsAggregate;
 
-    let sizes = common_sizes();
     let iterations = 100;
 
     let mut te = instantiate_tester();
     let mut obs = Vec::new();
     let mut rng = thread_rng();
 
-    // Just some random data over which we can generate an example signature.
-    // Having a valid BLS signature is important otherwise verification is
-    // an instant rejection without hasing the input data.
-    let mut data = vec![0u8; 100];
-    rng.fill_bytes(&mut data);
+    for &n in &[1, 4, 8, 20, 50, 200, 1000] {
+        let mut keys = Vec::new();
+        let mut sks = Vec::new();
+        let mut sigs = Vec::new();
+        let mut messages = Vec::new();
+        for _ in 0..n {
+            let mut data = vec![0u8; 100];
+            rng.fill_bytes(&mut data);
+            let sk = bls_signatures::PrivateKey::generate(&mut rng);
+            let pk = sk.public_key();
+            let sig = sk.sign(&data);
+
+            keys.push(pk.as_bytes());
+            sks.push(sk);
+            messages.push(data);
+            sigs.push(sig);
+        }
+        let signature = bls_signatures::aggregate(&sigs).unwrap().as_bytes();
+        let params = OnVerifyBlsAggregateParams {
+            iterations,
+            signature,
+            keys,
+            messages,
+        };
 
-    for sig_type in sig_types.iter() {
-        let label = format!("{sig_type:?}");
+        let ret = te.execute_or_die(METHOD as u64, &params);
 
-        let (signer, signature) = match sig_type {
-            SignatureType::Secp256k1 => {
-                let sk = libsecp256k1::SecretKey::random(&mut rng);
-                let pk = libsecp256k1::PublicKey::from_secret_key(&sk);
-                let addr = Address::new_secp256k1(&pk.serialize()).unwrap();
-                let sig = secp_sign(&sk, &data).into();
-                (addr, sig)
-            }
-            SignatureType::BLS => {
-                let sk = bls_signatures::PrivateKey::generate(&mut rng);
-                let pk = sk.public_key();
-                let addr = Address::new_bls(&pk.as_bytes()).unwrap();
-                let sig = sk.sign(&data).as_bytes();
-                (addr, sig)
-            }
-        };
+        let iter_obs = collect_obs(&ret, CHARGE_NAME, "signers", n);
+        let iter_obs = eliminate_outliers(iter_obs, 0.02, Eliminate::Top);
 
-        for size in sizes.iter() {
-            let params = OnVerifySignatureParams {
-                iterations,
-                size: *size,
-                signer,
-                signature: signature.clone(),
-                seed: rng.gen(),
-            };
+        obs.extend(iter_obs);
+    }
 
-            let ret = te.execute_or_die(METHOD as u64, &params);
+    let regression = run_linear_regression(&obs);
 
-            let iter_obs = collect_obs(&ret, CHARGE_NAME, &label, *size);
-            let iter_obs = eliminate_outliers(iter_obs, 0.02, Eliminate::Top);
+    export(CHARGE_NAME, &obs, &regression).unwrap();
+}
 
-            obs.extend(iter_obs);
-        }
+#[test]
+#[cfg(feature = "calibration")]
+fn on_verify_bls_aggregate_hashing() {
+    use bls_signatures::Serialize;
+    use rand::{thread_rng, RngCore};
+
+    const CHARGE_NAME: &str = "OnVerifyBlsAggregateSignature";
+    const METHOD: Method = Method::OnVerifyBlsAggregate;
+
+    let iterations = 100;
+    let sizes = common_sizes();
+
+    let mut te = instantiate_tester();
+    let mut obs = Vec::new();
+    let mut rng = thread_rng();
+
+    for &size in sizes.iter() {
+        let mut data = vec![0u8; size];
+        rng.fill_bytes(&mut data);
+        let sk = bls_signatures::PrivateKey::generate(&mut rng);
+        let signature = sk.sign(&data).as_bytes();
+        let keys = vec![sk.public_key().as_bytes()];
+        let messages = vec![data];
+
+        let params = OnVerifyBlsAggregateParams {
+            iterations,
+            signature,
+            keys,
+            messages,
+        };
+
+        let ret = te.execute_or_die(METHOD as u64, &params);
+
+        let iter_obs = collect_obs(&ret, CHARGE_NAME, "bytes", size);
+        let iter_obs = eliminate_outliers(iter_obs, 0.02, Eliminate::Top);
+
+        obs.extend(iter_obs);
     }
 
     let regression = run_linear_regression(&obs);
 
-    export(CHARGE_NAME, &obs, &regression).unwrap();
+    export(&format!("{}{}", CHARGE_NAME, "Hashing"), &obs, &regression).unwrap();
 }
 
 // Scan CBOR Fields with no links.

testing/test_actors/actors/fil-gas-calibration-actor/src/actor.rs

@@ -6,8 +6,8 @@ use fvm_gas_calibration_shared::*;
 use fvm_ipld_encoding::{DAG_CBOR, IPLD_RAW};
 use fvm_sdk::message::params_raw;
 use fvm_sdk::vm::abort;
-use fvm_shared::address::{Address, Protocol};
-use fvm_shared::crypto::signature::{Signature, SignatureType, SECP_SIG_LEN};
+use fvm_shared::address::Address;
+use fvm_shared::crypto::signature::SECP_SIG_LEN;
 use fvm_shared::econ::TokenAmount;
 use fvm_shared::error::ExitCode;
 use fvm_shared::event::{ActorEvent, Entry};
@@ -48,7 +48,7 @@ fn dispatch(method: Method, params_ptr: u32) -> Result<()> {
     match method {
         Method::OnHashing => dispatch_to(on_hashing, params_ptr),
         Method::OnBlock => dispatch_to(on_block, params_ptr),
-        Method::OnVerifySignature => dispatch_to(on_verify_signature, params_ptr),
+        Method::OnVerifyBlsAggregate => dispatch_to(on_verify_bls_aggregate, params_ptr),
         Method::OnRecoverSecpPublicKey => dispatch_to(on_recover_secp_public_key, params_ptr),
         Method::OnSend => dispatch_to(on_send, params_ptr),
         Method::OnEvent => dispatch_to(on_event, params_ptr),
@@ -100,22 +100,12 @@ fn on_block(p: OnBlockParams) -> Result<()> {
     Ok(())
 }
 
-fn on_verify_signature(p: OnVerifySignatureParams) -> Result<()> {
-    let sig_type = match p.signer.protocol() {
-        Protocol::BLS => SignatureType::BLS,
-        Protocol::Secp256k1 => SignatureType::Secp256k1,
-        other => return Err(anyhow!("unexpected protocol: {other}")),
-    };
-    let sig = Signature {
-        sig_type,
-        bytes: p.signature,
-    };
-
-    let mut data = random_bytes(p.size, p.seed);
-
-    for i in 0..p.iterations {
-        random_mutations(&mut data, p.seed + i as u64, MUTATION_COUNT);
-        fvm_sdk::crypto::verify_signature(&sig, &p.signer, &data)?;
+fn on_verify_bls_aggregate(p: OnVerifyBlsAggregateParams) -> Result<()> {
+    let sig = p.signature.try_into().unwrap();
+    let keys: Vec<_> = p.keys.iter().map(|k| (&**k).try_into().unwrap()).collect();
+    let messages: Vec<_> = p.messages.iter().map(|m| &**m).collect();
+    for _ in 0..p.iterations {
+        fvm_sdk::crypto::verify_bls_aggregate(&sig, &keys, &messages)?;
     }
 
     Ok(())