Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.1 -> main] Add subjective limit to mod_exp host function #742

Merged
merged 5 commits into from
Aug 3, 2022
Merged

[3.1 -> main] Add subjective limit to mod_exp host function #742

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
737baf5
Add subjective limit to mod_exp host function.
arhag Aug 3, 2022
8cbd077
Update fc submodule.
arhag Aug 3, 2022
65573e6
Merge pull request #739 from eosnetworkfoundation/arhag/GH-361-mod-ex…
arhag Aug 3, 2022
8bdf1d5
Merge branch 'release/3.1.x' into arhag/GH-361-mod-exp-limits-for-main
arhag Aug 3, 2022
6e72e79
Update fc submodule.
arhag Aug 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions libraries/chain/webassembly/crypto.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,14 @@ namespace eosio { namespace chain { namespace webassembly {
span<const char> exp,
span<const char> modulus,
span<char> out) const {
if (context.control.is_producing_block()) {
static constexpr int byte_size_limit = 256; // Allow up to 2048-bit values for base, exp, and modulus.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How was the 2048 bit constraint chosen?
It's normal to have 4096 bit modulus nowadays, especially with root certificates.
If there isn't big performance hit (CPU, RAM) I'd suggest to lift this constraint to 512.

Copy link
Member Author

@arhag arhag Aug 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See reasoning in this comment within the code:

mandel/unittests/crypto_primitives_tests.cpp

Lines 415 to 423 in 6514a7d

// Given the need to respect the deadline timer and the current limitation that the deadline timer is not plumbed into the
// inner loops of the implementation of mod_exp (which currently exists in the gmp shared library), only a small enough duration for
// mod_exp can be tolerated to avoid going over the deadline timer by too much. A good threshold for small may be less than 5 ms.
// Then based on benchmarks within the test_modular_arithmetic test within fc, it seems safe to limit the bit size to 2048 bits.
// This test case verifies that the subjective bit size limit for mod_exp is properly enforced within libchain.
// To allow mod_exp to be more useful, the limits on bit size need to be removed and the deadline timer plumbing into the implementation
// needs to occur. When that happens, this test case can be removed.

The 5 ms is somewhat arbitrary. The idea is to not have it be too large of a fraction of the time it takes to deliver a complete block to the next producer to avoid missing blocks. If we assume a typical window of 100 ms time given based on configuration in the producer plugin, then bounding it to 5 ms eats up less than 5% of that time reserved to complete the block, sign it, and then start working on the next one (if not at the end of the round for that producer) or deliver over the network to the next producer in the schedule (if at the end of the round for that producer in which case they typically have more time available as well than 100 ms based on default configurations).

While bumping up to 4096-bit is still well within the typical 30 ms deadline limit, it ends up eating a significant portion of that 100 ms delivery window (around 20% instead of 5%). So we weren't very comfortable pushing it that far just yet.

The proper solution is to remove these arbitrary bit-size limits and just use deadline time as the only practical bound on what calls to mod_exp are allowed. Unfortunately, that requires plumbing the deadline timer into the inner loops of the modular exponentiation implementation which is something we intend to do (https://github.com/eosnetworkfoundation/mandel/issues/738) but is not something we are able to do for the 3.1.0 release.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm now going with a more flexible constraint on the bit sizes which should allow for 4096-bit RSA to work.

See https://github.com/eosnetworkfoundation/mandel/issues/747 and #749.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's great change!

Btw do you maybe have any metrics how long does it take to perform mod. exp. for 4096 bit modulus with current implementation? Hitting 5ms or more for 4096 bit sounds a bit too much. (Sorry I'm unable to perform the benchmark myself at the moment).

Just for reference, I made dumb benchmark for powm implementation from eosio.ck (originally from u-boot) and compiled with clang [64bit -O3 -stdlib=libc++ -std=c++2a].
I get ~500us for single mod. exp. operation over 4096 bit modulus & base and on average ~468us per operation running in the loop 1M times (~2100 oper./s). Test vector was taken from Google's project Wycheproof.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On my machine, mod_exp with 4096-bit modulus and base, and a 32-bit exponent took less than 200 microseconds.


if (std::max(std::max(base.size(), exp.size()), modulus.size()) > byte_size_limit) {
EOS_THROW(subjective_block_production_exception, "Bit size too large for values passed into mod_exp");
}
}

bytes bbase(base.data(), base.data() + base.size());
bytes bexp(exp.data(), exp.data() + exp.size());
bytes bmod(modulus.data(), modulus.data() + modulus.size());
Expand Down
2 changes: 1 addition & 1 deletion libraries/fc
Open in desktop
Submodule fc updated 1 files
+137 −0 test/crypto/test_modular_arithmetic.cpp
54 changes: 54 additions & 0 deletions unittests/crypto_primitives_tests.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,7 @@ BOOST_AUTO_TEST_CASE( modexp_test ) { try {
return_code::failure,
"",
},

};

for(const auto& test : tests) {
Expand All @@ -409,6 +410,59 @@ BOOST_AUTO_TEST_CASE( modexp_test ) { try {
} FC_LOG_AND_RETHROW() }


BOOST_AUTO_TEST_CASE( modexp_subjective_limit_test ) { try {

// Given the need to respect the deadline timer and the current limitation that the deadline timer is not plumbed into the
// inner loops of the implementation of mod_exp (which currently exists in the gmp shared library), only a small enough duration for
// mod_exp can be tolerated to avoid going over the deadline timer by too much. A good threshold for small may be less than 5 ms.
// Then based on benchmarks within the test_modular_arithmetic test within fc, it seems safe to limit the bit size to 2048 bits.

// This test case verifies that the subjective bit size limit for mod_exp is properly enforced within libchain.

// To allow mod_exp to be more useful, the limits on bit size need to be removed and the deadline timer plumbing into the implementation
// needs to occur. When that happens, this test case can be removed.

tester c( setup_policy::preactivate_feature_and_new_bios );

const auto& tester1_account = account_name("tester1");
c.create_accounts( {tester1_account} );
c.produce_block();

const auto& pfm = c.control->get_protocol_feature_manager();
const auto& d = pfm.get_builtin_digest( builtin_protocol_feature_t::crypto_primitives );
BOOST_REQUIRE( d );

c.preactivate_protocol_features( {*d} );
c.produce_block();

c.set_code( tester1_account, contracts::crypto_primitives_test_wasm() );
c.set_abi( tester1_account, contracts::crypto_primitives_test_abi().data() );
c.produce_block();

bytes exponent(256); // 2048 bits of all zeros is fine

c.push_action( tester1_account, "testmodexp"_n, tester1_account, mutable_variant_object()
("base", h2bin("01"))
("exp", exponent)
("modulo", h2bin("0F"))
("expected_error", static_cast<int32_t>(return_code::success))
("expected_result", h2bin("01"))
);

exponent.push_back(0); // But 2056 bits of all zeros crosses the subjective limit (even if the value is still technically only zero).

BOOST_CHECK_EXCEPTION(c.push_action( tester1_account, "testmodexp"_n, tester1_account, mutable_variant_object()
("base", h2bin("01"))
("exp", exponent)
("modulo", h2bin("0F"))
("expected_error", static_cast<int32_t>(return_code::success))
("expected_result", h2bin("01"))),
eosio::chain::subjective_block_production_exception,
fc_exception_message_is("Bit size too large for values passed into mod_exp")
);

} FC_LOG_AND_RETHROW() }

BOOST_AUTO_TEST_CASE( blake2f_test ) { try {
tester c( setup_policy::preactivate_feature_and_new_bios );

Expand Down