crypto/ed25519: Caching public key decompression

[ValarDragon]

For a new node syncing to the chain, they have to process many signatures from the same validators. The same applies to full nodes verifying signatures. Under Ed25519, these public keys have to undergo a point decompression. This point decompression can be trivially cached (see tendermint/ed25519#8). Benchmarking on that PR, caching this point decompression saves 10% of computation time per verify, for all verifications after the first one. (The first verify takes the same exact amount of time)

If we ever implement Ed25519 batch verification, this savings becomes > 20% of the batch verify time, since batch verification doesn't do anything for the point decompression employed.

It has been decided to hold off on integrating this into tendermint, until sync times become a problem for people. For reference, Ed25519 signature verification takes 65% of the time of a CheckTx + DeliverTx combination, implying that it is significant even when accounting for the account mapper / state reads.

The way this would likely be implemented is by changing the internal type of Ed25519 to be a struct with the relevant cached values. The alternative is adding a cache method to every public key type -- I'm not opposed to this as it avoids the extra temporary memory cost of most keys, and I think more key types will benefit from this caching paradigm in a way that shouldn't be ran on keys that are used only once, unlike ed25519. The downside of the cache method is that its confusing / API we have to maintain. (Not that confusing imo though). The downsides of switching Ed25519 to a struct is that every Ed25519 public key in memory is going to take an extra 64 bytes. (It will still marshal the same way, and therefore be the exact same in state). Arguably that isn't an issue, since this provides more significant computational savings if the key is ever reused, and if it isn't reused it will be garbage collected almost immediately. However it must be cautioned then whenever public keys are encoded for being put into state, only the marshalled version is encoded. (I believe this is already the case, so there isn't any concern)

In general, this is a relatively easy optimization we can take advantage of, once we want more speed out of our signature verifications.

[ValarDragon]

Turns out there is even more memoization we can do for free! (Well free computation-wise, costs memory still)

The Ed25519 scheme we're using uses 4-bit windowed computation for unknown bases. (This means that for points that aren't the base point, e.g. A, the multiples [3..15] * A are cached. (Ignoring the evens, due to those being trivial to compute via inverses). Currently these are computed on every verify for the pubkey. We can cache these also at no cost. The benefits will be less dramatic than point-decompression (I think, haven't benchmarked yet), but it should still be noticeable improvement. I think the memory trade-off for caching these will be worth it, since this is stuff thats computed everytime.

For reference, this would basically be saving the following computation via memoization:
https://github.com/tendermint/ed25519/blob/d8387025d2b9d158cf4efb07e7ebf814bcce2057/edwards25519/edwards25519.go#L894

This also still helps for batch verification, if the same pubkey is used across multiple batches. (Which I expect to be the case for fast syncing)

[ValarDragon]

There are even more things we can cache!

For the private key, we can cache the creation of the expandedSecretKey in signing (saves a call to the hash function, should be a significant savings), and we could cache the creation of b0, b1, ..., b11 in ScMulReduce, however I'm unsure of how impactful saving those 11 int64's will be.

[robert-zaremba]

What is the story with this task? It seams that it's an easy optimization. BTW - are we already using batched verification in tendermint?

[tessr]

No, we don't yet have batched verification. That (and most of the other requested crypto work) is currently slated for a release shortly after 1.0.

[hdevalence]

One approach to caching decompressed public keys is the VerificationKey structure in ed25519-zebra.

While it's true that lookup tables can also be cached, this is further along the "engineering effort"/"performance benefit" tradeoff, since without support from the underlying curve library (e.g., a structure like this) it involves breaking through abstraction layers. And, once precomputation is acceptable, there are more tradeoffs to consider, like:

• rather than using a small lookup table, should a large lookup table be used? (the existing size of the lookup table is tuned on the assumption that it's only used once, so it balances construction time vs time savings on a one-off basis)
• is single verification actually the relevant problem? (is it possible to use batch verification instead, which provides much greater savings)?
• how many public keys are in use, and how frequently are they used? (since precomputation is a kind of memory-time tradeoff, if there are many public keys, the required memory may be larger than expected, and memory tradeoffs are discontinuous because of cache size effects).

If Tendermint is planning to use ed25519consensus, the right place to put this kind of precomputation is probably there.

[robert-zaremba]

how many public keys are in use, and how frequently are they used?

@hdevalence cosmos chains have 100-300 validators. Gaia (the Cosmos Hub) has around 150. So I would say there are 150 keys, used in every round (block). They don't change that frequently.

What do you mean with ed25519consensus?

[tac0turtle]

Single key verification has increased by 30-40% (on master). Once I complete my PR on batch verification it will be at least 40%, if not double. I would categorize this issue as a low priority, especially since we don't have anyone internally to work on this.