-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Computing the maximum ModExp input length #419
Comments
@krlosMata pointed another practical limitation for the input lengths, so we have to adjust the computed lengths with this new restriction. |
After a meeting with @krlosMata and @laisolizq, we decided to add to additional restrictions to the maximum input length of the ModExp, i.e.:
With these two new parameters in mind, we should put ourselves in the case where not only the maximum memory is "almost" reached (and never overflowed in the ModExp computation), but also where the maximum number of steps is "almost" reached (and, again, never overflowed). Finding the worst case scenario (in terms of input length) will give us the actual maximum input length that we can work with and that can be introduced as a possible transaction in the Polygon zkEVM. |
As a first approach, I only take into consideration the first restriction of the previous comment and assumed that the input lengths should be balanced, i.e., that and therefore that The first assumption is valid due to the identification of specific inputs where none of the counters exceed their limits, yet a length of
The second assumption is also valid because the three inputs are used indistinguishable in each of the functions in |
Use cases ModExp:
Other projects that we have been taking a look at using the modexp precompiled like VDF fall into one of the previous cases, so we finally decided to restrict the length of the modexp inputs to 32 to be able to handle all these cases and beyond. |
TL;DR:$30M$ we have the following theoretical bounds:
$$\text{BLen} \leq 75894, \quad \text{MLen} \leq 75894, \quad \text{ELen} \leq 720M + 32,$$
Theoretical Limit: Assuming a gas cost limit of
but there are other things to consider (e.g., see the next comment).
Practical Limit: Assuming a maximum restriction of 2MB in memory size and that the input lengths should be balanced, i.e., that$x := \text{BLen} = \text{MLen} = \text{ELen}$ , we have the following practical bounds:
$$\text{BLen}, \text{MLen}, \text{ELen} \leq 1818.$$
Use Case Limit: After taking a look at projects using the modexp precompiled, we have decided to restrict the length to:
$$\text{BLen}, \text{MLen}, \text{ELen} = 32,$$
being able to handle up to 8192-bit RSA exponentiations.
Introduction
This issue aims to obtain the maximum length of the inputs (base, modulus and exponent) for which we can compute the ModExp precompiled on top of. My reasoning is as follows.
Following the formulas in EIP-2565 that define the gast cost of the ModExp precompile, we have that:
$$\text{GC}(E,\text{Blen},\text{Elen},\text{Mlen}) := \max \left( 200, \left\lfloor \frac{\text{MC}(\text{Blen},\text{Mlen})·\text{IC}(\text{Elen},\text{E})}{3} \right\rfloor \right)$$
$$\text{MC}(\text{Blen},\text{Mlen}) := \left\lceil \frac{\max(\text{BLen},\text{MLen})}{8} \right\rceil ^2,$$
where:
and
Right now, in our zkEVM we have$\text{GC} \leq 30M$ and based on this limit we are going to compute the maximum positive integer that each $\text{BLen},\text{ELen},\text{MLen}$ can take. As we will see, theses maximums are reached on worst cases and/or edge cases scenarios.
Expanding the above formula for the gas (and assuming sufficiently large inputs), we can express the gas bound as$$\text{GC} \leq \text{MC}(\text{Blen},\text{Mlen})·\text{IC}(\text{Elen},\text{E}) \leq 90M.$$
$$\text{GC} \leq \left( \frac{\max(\text{BLen},\text{MLen})}{8} \right) ^2·\text{IC}(\text{Elen},\text{E}) \leq 90M \quad \Longrightarrow \quad \text{GC} \leq \max(\text{BLen},\text{MLen})^2·\text{IC}(\text{Elen},\text{E}) \leq 5760M.$$
and expanding we obtain:
BLen and MLen
Let's focus our attention to$\text{BLen}$ . To obtain its maximum, we need $\text{IC}(\text{Elen},\text{E})$ to be as low as possible, so take $E$ equal to either $0$ or $1$ (which correspond to the two "trivial" cases for ModExp). In both cases we have $\text{IC}(\text{Elen},\text{E}) = 1$ and taking a sufficiently large $\text{BLen}$ we can conclude that $\text{BLen}^2 \leq 5760M$ and therefore $\text{BLen} \leq \sqrt{5760M} \approx 75894$ . That is, we should be able to handle a base $B$ of at most $2372$ chunks of $256$ bits. The exact same reasoning works for $\text{MLen}$ .
ELen
To obtain the maximum for$\text{ELen}$ , we should set $\max(\text{BLen},\text{MLen})^2$ as low as possible and we can make it equal to $1$ by taking any (possibly non-trivial) base and modulus satisfying $\text{BLen} = \text{MLen} = 1$ . Since $\text{ELen} > 32$ we can express the initial inequality as $\log_2(\text{E} \pmod{2^{256}}) + 8·(\text{ELen} - 32) \leq 5760M.$
Now, by taking$E$ to be a multiple of $2^{256}$ we make zero the first summand of the previous expression, leaving as with the inequality $8·(\text{ELen} - 32) \leq 5760M$ and therefore $\text{ELen} \leq 720M + 32$ . This is a number that is represented with at most $22.500.001$ chunks of $256$ bits.
The text was updated successfully, but these errors were encountered: