Update libsecp256k1 (endomorphism, test improvements) #20147

sipa commented at 6:50 PM on October 14, 2020: member

This updates the libsecp256k1 subtree to the latest master, which includes:

Enabling the GLV endomorphism optimization by default (and removing support for the non-GLV EC multiplication)
Added a proof for the correctness of the lambda split algorithm by roconnor-blockstream (other code was relying on the fact that it always outputs 128 bit results, which isn't at all obvious).
Improved exhaustive tests, in particular for the Schnorr signature module
Various other testing and CI improvements

Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb

c6b6b8f1bb Merge #830: Rip out non-endomorphism code + dependencies
c582abade1 Consistency improvements to the comments
63c6b71616 Reorder comments/function around scalar_split_lambda
2edc514c90 WNAF of lambda_split output has max size 129
4232e5b7da Rip out non-endomorphism code
ebad8414b0 Check correctness of lambda split without -DVERIFY
fe7fc1fda8 Make lambda constant accessible
9d2f2b44d8 Add tests to exercise lambda split near bounds
9aca2f7f07 Add secp256k1_split_lambda_verify
acab934d24 Detailed comments for secp256k1_scalar_split_lambda
76ed922a5f Increase precision of g1 and g2
6173839c90 Switch to our own memcmp function
63150ab4da Merge #827: Rename testrand functions to have test in name
c5257aed0b Merge #821: travis: Explicitly set --with-valgrind
bb1f54280f Merge #818: Add static assertion that uint32_t is unsigned int or wider
a45c1fa63c Rename testrand functions to have test in name
5006895bd6 Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests
4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND
66a765c775 travis: Explicitly set --with-valgrind
d7838ba6a6 Merge #813: Enable configuring Valgrind support
7ceb0b7611 Merge #819: Enable -Wundef warning
8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig
08d7d89299 Make pubkey parsing test whether points are in the correct subgroup
87af00b511 Abstract out challenge computation in schnorrsig
63e1b2aa7d Disable output buffering in tests_exhaustive.c
39f67dd072 Support splitting exhaustive tests across cores
e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs
49e6630bca refactor: move RNG seeding to testrand
b110c106fa Change exhaustive test groups so they have a point with X=1
cec7b18a34 Select exhaustive lambda in function of order
78f6cdfaae Make the curve B constant a secp256k1_fe
d7f39ae4b6 Delete gej_is_valid_var: unused outside tests
8bcd78cd79 Make secp256k1_scalar_b32 detect overflow in scalar_low
c498366e5b Move exhaustive tests for recovery to module
be31791543 Make group order purely compile-time in exhaustive tests
e73ff30922 Enable -Wundef warning
c0041b5cfc Add static assertion that uint32_t is unsigned int or wider
4ad408faf3 Merge #782: Check if variable=yes instead of if var is set in travis.sh
412bf874d0 configure: Allow specifying --with[out]-valgrind explicitly
34debf7a6d Modify .travis.yml to explictly pass no in env vars instead of setting to nothing
a0e99fc121 Merge #814: tests: Initialize random group elements fully
5738e8622d tests: Initialize random group elements fully
c9939ba55d Merge #812: travis: run bench_schnorrsig
a51f2af62b travis: run bench_schnorrsig
ef37761fee Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false

git-subtree-dir: src/secp256k1
git-subtree-split: c6b6b8f1bb044d7d1aa065ebb674adde98a36a8e

52380bf304

Update libsecp256k1 subtree to latest master 9e5626d2a8

DrahtBot added the label Build system on Oct 14, 2020

DrahtBot added the label Docs on Oct 14, 2020

jonatack commented at 8:52 PM on October 14, 2020: member

Concept ACK.

benthecarman commented at 9:06 PM on October 14, 2020: contributor

ACK 9e5626d

$  ./test/lint/git-subtree-check.sh src/secp256k1
src/secp256k1 in HEAD currently refers to tree c79797189781d6656eba6cb155c249c57b4f5c9a
src/secp256k1 in HEAD was last updated in commit 52380bf304b1c02dda23f1e2fad0159e29b2f7a2 (tree c79797189781d6656eba6cb155c249c57b4f5c9a)
src/secp256k1 in HEAD was last updated to upstream commit c6b6b8f1bb044d7d1aa065ebb674adde98a36a8e (tree c79797189781d6656eba6cb155c249c57b4f5c9a)
GOOD

fanquake approved

fanquake commented at 3:12 AM on October 15, 2020: member

ACK 9e5626d2a8ddbbd7640ff53f89f3a7021d747633 - performed a squash and checked that the changes were the same. The non-endomorphism code has now been ripped out.

how-to-verify-subtree notes here: https://github.com/fanquake/core-review/blob/master/subtree-merge.md

fanquake commented at 3:18 AM on October 15, 2020: member

@jamesob this would be a good PR for you to throw into bitcoinperf.

fanquake merged this on Oct 15, 2020

fanquake closed this on Oct 15, 2020

MarcoFalke removed the label Docs on Oct 15, 2020

jamesob commented at 1:40 PM on October 16, 2020: member

Ran a local IBD comparison on this for 8000 blocks (height 500_000 - 508_000) and to my surprise didn't see any performance difference. Compared the HEAD of this PR to the commit in master preceding it (https://github.com/bitcoin/bitcoin/commit/c2c4dbaebd955ad2829364f7fa5b8169ca1ba6b9). Could be that this platform is bottlenecked by IO and not CPU?

ibd local range 500000 508000

commands index

bench name	command
ibd.local.range.500000.508000	`bitcoind -dbcache=300 -debug=coindb -debug=bench -listen=0 -connect=0 -addnode=127.0.0.1:8888 -prune=9999999 -printtoconsole=0 -assumevalid=000000000000000000176c192f42ad13ab159fdb20198b87e7ba3c001e47b876`

#20147 vs. c2c4dbaebd955ad2829364f7fa5b8169ca1ba6b9 (absolute)

bench name	x	#20147	c2c4dbaebd955ad2829364f7fa5b8169ca1ba6b9
ibd.local.range.500000.508000.total_secs	2	737.8656 (± 3.1841)	738.3541 (± 7.6443)
ibd.local.range.500000.508000.peak_rss_KiB	2	1746294.0000 (± 2362.0000)	1756260.0000 (± 3168.0000)

#20147 vs. c2c4dbaebd955ad2829364f7fa5b8169ca1ba6b9 (relative)

bench name	x	#20147	c2c4dbaebd955ad2829364f7fa5b8169ca1ba6b9
ibd.local.range.500000.508000.total_secs	2	1	1.001
ibd.local.range.500000.508000.peak_rss_KiB	2	1	1.006

sipa commented at 4:07 PM on October 16, 2020: member

@jamesob That's certainly possible. With such a low dbcache, it's also possible it's just spending a lot of time in in preparing leveldb updates to flush.

sidhujag referenced this in commit da4b2dbdff on Oct 16, 2020

Sjors commented at 6:07 PM on October 16, 2020: member

Your assumevalid block is at height 522,000 so you're not checking signatures, I think.

jamesob commented at 5:22 PM on October 17, 2020: member

Great call @Sjors, that should've occurred to me (d'oh). In any case, here are some much less surprising results showing improvement after disabled assumevalid.

ibd local range 500000 508000

commands index

bench name	command
ibd.local.range.500000.508000	`bitcoind -dbcache=300 -debug=coindb -debug=bench -listen=0 -connect=0 -addnode=127.0.0.1:8888 -prune=9999999 -printtoconsole=0 \-assumevalid=0`

#20147 vs. c2c4dbae (absolute)

bench name	x	#20147	c2c4dbae
ibd.local.range.500000.508000.total_secs	2	1529.8273 (± 5.1097)	1780.5817 (± 5.7187)
ibd.local.range.500000.508000.peak_rss_KiB	2	1718228.0000 (± 17852.0000)	1686864.0000 (± 6596.0000)

#20147 vs. c2c4dbae (relative)

bench name	x	#20147	c2c4dbae
ibd.local.range.500000.508000.total_secs	2	1.000	1.164
ibd.local.range.500000.508000.peak_rss_KiB	2	1.019	1.000

For kicks, here's the utxo cache flush history (I need to normalize the times in this graph...).

ibd local range 500000 508000-flush-history

fanquake commented at 1:00 AM on October 19, 2020: member

Thanks @jamesob 👍

zkbot referenced this in commit a92c6d182a on Oct 24, 2020

zkbot referenced this in commit fef4b911d1 on Oct 25, 2020

UdjinM6 referenced this in commit 63ee0494c4 on Aug 10, 2021

5tefan referenced this in commit 1b664a97a5 on Aug 12, 2021

DrahtBot locked this on Feb 15, 2022