ethereum · eip-automerger · May 8, 2019 · May 3, 2019 · May 3, 2019 · May 3, 2019
@@ -2,14 +2,19 @@
 eip: 1108
 title: Reduce alt_bn128 precompile gas costs
 author: Antonio Salazar Cardozo (@shadowfiend), Zachary Williamson (@zac-williamson)
+discussions-to: https://ethereum-magicians.org/t/eip-1108-reduce-alt-bn128-precompile-gas-costs/3206
 status: Draft
 type: Standards Track
 category: Core
 created: 2018-05-21
 requires: 196, 197
 ---
 
-## Short Description
+## Simple Summary  
+
+The elliptic curve arithmetic precompiles are currently overpriced. Re-pricing the precompiles would greatly assist a number of privacy solutions and scaling solutions on Ethereum. 
+
+## Abstract
 
 Changes in 2018 to the underlying library used by the official Go reference
 implementation led to significant performance gains for the `ECADD`, `ECMUL`,
@@ -36,20 +41,42 @@ constant) has dropped roughly an order of magnitude across the board.
 Also, optimizations in the bn library [in 2018](https://github.com/paritytech/bn/pull/9) and [2019](https://github.com/paritytech/bn/pull/14)
 used by the [Parity client](https://github.com/paritytech/parity-ethereum) led to a 
 significant performance boost we 
-[benchmarked](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef) 
+[benchmarked](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53) 
 and compared against the [previous 
-results](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53).  
+results](https://gist.github.com/pdyraga/4649b74436940a01e8221d85e80bfeef).  
+
+
+## Specification
 
-## The Rationale Behind Lowering Gas Costs  
+Following is a table with the current gas cost and new gas cost:
+
+| Contract      | Address   | Current Gas Cost               | Updated Gas Cost    |
+| ------------- | --------- | -----------------------------  | ------------------- |
+| `ECADD`       | `0x06`    | 500<sup>[1]</sup>              | 150                 |
+| `ECMUL`       | `0x07`    | 40 000<sup>[1]</sup>           | 6 000               |
+| Pairing check | `0x08`    | 80 000 * k + 100 000<sup>[2]</sup>| 34 000 * k + 45 000    |
+
+The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in
+EIP-196, while the gas costs for the pairing check are updates to the cost
+listed in EIP-197. Updated gas costs have been adjusted to the less performant 
+client which is Parity, according to benchmarks<sup>[3]</sup>. The updated gas costs are scaled relative to the `ecrecover` precompile. i.e. in the benchmark, `ecrecover` ran in 116 microseconds. If we consider 3,000 gas the fair price for `ecrecover`, we can obtain a metric how much gas should be charged per microsecond of an algorithm's runtime, and use that to price the elliptic curve precompiles.
+
+[1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs).
+
+[2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification).
+
+[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53)
+
+## Rationale  
 
 ### Existing protocols would benefit immensely from cheaper elliptic curve cryptography
 
 Fast elliptic curve cryptography is a keystone of a growing number of protocols built on top of Ethereum. To list a few:  
 
-  [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard.  
-  [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second  
-  [Rollup](https://github.com/rollup/rollup) utilizes the precompiles to create L2 scaling solutions, where the correctness of transactions is gauranteed by main-net, without an additional consensus layer  
-  [ZEther](https://crypto.stanford.edu/~buenz/papers/zether.pdf) uses precompiles `0x06` and `0x07` to construct confidential transactions  
+* [The AZTEC protocol](https://github.com/AztecProtocol/AZTEC) utilizes the elliptic curve precompiles to construct private tokens, with zero-knowledge transaction logic, via the [ERC1723](https://github.com/ethereum/EIPs/issues/1723) and [ERC1724](https://github.com/ethereum/EIPs/issues/1724) standard.  
+* [Matter Labs](https://github.com/matter-labs/matter-network) utilizes the precompiles to implement Ignis, a scaling solution with a throughput of 500txns per second  
+* [Rollup](https://github.com/rollup/rollup) utilizes the precompiles to create L2 scaling solutions, where the correctness of transactions is gauranteed by main-net, without an additional consensus layer  
+* [ZEther](https://crypto.stanford.edu/~buenz/papers/zether.pdf) uses precompiles `ECADD` and `ECMUL` to construct confidential transactions  
 
 These are all technologies that have been, or are in the process of being, deployed to main-net. There protocols would all benefit from reducing the gas cost of the precompiles.  
 
@@ -76,23 +103,16 @@ If zk-SNARK verification costs are decreased, these solutions can be deployed fo
 
 This EIP does not require Parity or Geth to deploy new cryptographic libraries, as fast bn128 algorithms have already been integrated into these clients. This goal of proposing this EIP for Istanbul, is to supplement [EIP-1829](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1829.md) (arithmetic over generic elliptic curves), providing an immediate solution to the pressing problem of expensive cryptography, while more advanced solutions are developed, defined and deployed.
 
-## Specification
 
-Following is a table with the current gas cost and new gas cost:
-
-| Contract      | Address   | Current Gas Cost               | Updated Gas Cost    |
-| ------------- | --------- | -----------------------------  | ------------------- |
-| `ECADD`       | `0x06`    | 500<sup>[1]</sup>              | 150                 |
-| `ECMUL`       | `0x07`    | 40 000<sup>[1]</sup>           | 6 000               |
-| Pairing check | `0x08`    | 80 000 * k + 100 000<sup>[2]</sup>| 34 000 * k + 45 000    |
+## Test Cases  
 
-The gas costs for `ECADD` and `ECMUL` are updates to the costs listed in
-EIP-196, while the gas costs for the pairing check are updates to the cost
-listed in EIP-197. Updated gas costs have been adjusted to the less performant 
-client which is Parity, according to benchmarks<sup>[3]</sup>. The updated gas costs are scaled relative to the `ecrecover` precompile.
+As no underlying algorithms are not being changed, there are no additional test cases to specify.  
 
-[1]- Per [EIP-196](https://github.com/ethereum/EIPs/blob/984cf5de90bbf5fbe7e49be227b0c2f9567e661e/EIPS/eip-196.md#gas-costs).
+## Implementation  
 
-[2]- Per [EIP-197](https://github.com/ethereum/EIPs/blob/df132cd37efb3986f9cd3ef4922b15a767d2c54a/EIPS/eip-197.md#specification).
+Both the Parity and Geth clients have already implemented cryptographic libraries that are fast enough to justify reducing the precompile gas costs. As a reference, here are a list of elliptic curve libraries, in `C++`, `golang` and `rust`, that support the `bn128` curve, and have run-times that are equal to or faster than the Parity benchmarks.  
 
-[3]- [Parity benchmarks.](https://gist.github.com/zac-williamson/838410a3da179d47d31b25b586c15e53)
+* [Parity bn crate (rust)](https://github.com/paritytech/bn)  
+* [Geth bn256 library (golang)](https://github.com/ethereum/go-ethereum/tree/master/crypto/bn256/cloudflare)  
+* [MCL, a portable C++ pairing library](https://github.com/herumi/mcl)  
+* [Libff, a C++ pairing library used in many zk-SNARK libraries](https://github.com/scipr-lab/libff)