zzstoatzz.io / atproto-bench
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

update k256 to v0.0.1 (precomputed tables + jacobian arithmetic)

switch k256 from path dep to tagged URL dep.
sig-verify: 2,436 → 9,796 verifies/sec (~4x), gap to Go narrowed from 6x to 1.5x.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

zzstoatzz 20dad58d 4f1db9b2

+65 -3
+61 -3
README.md
··· 120 120 - **error handling**: all SDKs use infallible decode functions that never abort on failure — errors are counted and the frame is skipped 121 121 - **capture coupling**: the corpus capture tool uses zat's CBOR decoder for the commit-with-ops header peek. this is standard CBOR parsing (not zat's typed firehose decoder), but it does mean frames that zat's CBOR decoder rejects won't appear in the corpus 122 122 123 + ## signature verification 124 + 125 + a separate benchmark measures the full signature verification pipeline that relays perform on every incoming commit. this is CPU-bound ECDSA work that compounds with scale (~500-1000 verifies/sec on the live network, much higher during backfill). 126 + 127 + ### what it measures 128 + 129 + per entry, both SDKs do identical work: 130 + 1. CBOR decode the signed commit (has `sig` field) 131 + 2. strip the `sig` field, re-encode as unsigned CBOR (deterministic DAG-CBOR) 132 + 3. SHA-256 hash the unsigned bytes 133 + 4. ECDSA verify the hash against the signature using the account's public key 134 + 5. dispatch by curve type: P-256 or secp256k1 135 + 136 + both enforce low-S normalization on both curves. 137 + 138 + ### two tiers 139 + 140 + - **full pipeline**: CBOR decode → strip sig → re-encode → SHA-256 → ECDSA verify (what a relay actually does) 141 + - **crypto-only**: SHA-256 → ECDSA verify with pre-computed unsigned bytes (isolates crypto cost from CBOR overhead) 142 + 143 + ### results 144 + 145 + _3,072 signed commits (all secp256k1), 5 measured passes, macOS arm64 (M3 Max)_ 146 + 147 + | SDK | variant | verifies/sec (median) | entries | P-256 | secp256k1 | errors | 148 + |-----|---------|--------:|-----:|-----:|-----:|-----:| 149 + | go ([indigo](https://github.com/bluesky-social/indigo)) | full pipeline | 15,109 | 3,072 | 0 | 3,072 | 0 | 150 + | go (indigo) | crypto-only | 15,012 | 3,072 | 0 | 3,072 | 0 | 151 + | zig ([zat](https://tangled.sh/@zzstoatzz.io/zat) + [k256](https://tangled.sh/@zzstoatzz.io/k256)) | full pipeline | 9,796 | 3,072 | 0 | 3,072 | 0 | 152 + | zig (zat + k256) | crypto-only | 9,716 | 3,072 | 0 | 3,072 | 0 | 153 + 154 + Go leads sig verification by ~1.5x. indigo uses [decred/dcrd](https://github.com/decred/dcrd/tree/master/dcrec/secp256k1) — a highly optimized secp256k1 implementation with specialized 10×26-bit field arithmetic. zig uses [k256](https://tangled.sh/@zzstoatzz.io/k256) with GLV endomorphism, precomputed base point tables, and Jacobian point arithmetic, on top of zig stdlib's fiat-crypto field operations. 155 + 156 + the crypto-only vs full-pipeline numbers being nearly identical confirms ECDSA is the bottleneck, not CBOR re-encoding overhead. 157 + 158 + ### why only zig + go 159 + 160 + only zat and indigo have production-grade signature verification built in. the raw/jacquard/python implementations don't include commit signing — adding it would mean hand-rolling crypto, which isn't what those SDKs represent. 161 + 162 + ### sig-verify corpus format 163 + 164 + ``` 165 + [u32 BE entry_count] 166 + per entry: 167 + [u8 curve_type] // 0 = P-256, 1 = secp256k1 168 + [u16 BE signed_len][signed_bytes...] // signed commit CBOR (with sig field) 169 + [u16 BE pubkey_len][pubkey_bytes...] // compressed public key (33 bytes) 170 + ``` 171 + 172 + captured by connecting to the firehose, extracting signed commit blocks from CAR data, and resolving each DID via PLC directory to get the signing key. entries that fail verification are dropped during capture. 173 + 123 174 ## corpus format 124 175 125 176 the fixture file (`fixtures/firehose-frames.bin`) uses a simple length-prefixed binary format: ··· 156 207 ## usage 157 208 158 209 ```sh 159 - just capture # capture ~10s of firehose traffic 160 - just bench # run all benchmarks 161 - just bench-zig # run a single language 210 + # decode benchmarks 211 + just capture # capture ~10s of firehose traffic 212 + just bench # run all decode benchmarks 213 + just bench-zig # run a single language 214 + 215 + # sig verify benchmarks 216 + just capture-sigs # capture signed commits + resolve public keys (~10s + DID resolution) 217 + just bench-sigs # run all sig verify benchmarks (zig + go) 218 + just bench-sigs-zig 219 + just bench-sigs-go 162 220 ``` 163 221 164 222 ## methodology
+4
zig/build.zig.zon
··· 8 8 .url = "https://tangled.sh/zat.dev/zat/archive/v0.2.2", 9 9 .hash = "zat-0.2.0-5PuC7mAuBADmN7OZkGvymjk9jq4akxdl-IlHSo8r25pr", 10 10 }, 11 + .k256 = .{ 12 + .url = "https://tangled.sh/zzstoatzz.io/k256/archive/v0.0.1", 13 + .hash = "k256-0.0.1-w2pjn9SAAAB0I4uAqDlAOK7SAMDjHub40Tb6ukbmKt5t", 14 + }, 11 15 }, 12 16 .paths = .{ 13 17 "build.zig",