contracts: add gaspad and gasused precompiles

[CedarMist]

Unfortunately this has different semantics than was initially intended as the initial gas cost for the calldata is added after the transaction is executed.

This means that there will be a 12 gas difference, even after padding, between every NULL and non-NULL byte of the calldata. While this has a very small impact and won't reveal too much sensitive information, it will still reveal some information about the encrypted calldata.

A suggested workaround is to add bytes calldata fuz argument and filling it with one non-zero byte for every zero byte in the other arguments.

[matevz]

I'm considering the threat model of the gas attacks. By using the new gaspad(), an external observer really cannot know how much gas the actual transaction spent. But, by calling gaspad() on an adversarial node, the attacker could see that the call was being made (the attacker knows the location of the gaspad() function inside the sapphire runtime), but he cannot determine how much gas was padded. Am I correct?

[CedarMist]

I'm not sure about the threat model for an adversarial node.

[matevz]

Can you make the naming consistent with the rust code?

[matevz]

We should also add this to:

• https://github.com/oasisprotocol/docs/blob/main/docs/dapp/sapphire/precompiles.md
• extend our docs chapter to cover the usage of gas padding (https://docs.oasis.io/dapp/sapphire/guide#writing-secure-dapps ? )
• extend one of the examples to also cover this (demo-voting, demo-starter?) or write a new one