Open
Description
For public keys pk_1, ..., pk_u, messages m_1, ..., m_u, signatures sig_1, ..., sig_u, the probability that BatchVerify(pk_1, ..., pk_u, m_1, ..., m_u, sig_1, ..., sig_u) with 128-bit uniform randomizers succeeds and there exists i in [1, u] such that Verify(pk_i, m_i, sig_i) fails is less than 2^-128.
This speeds up batch verification in libsecp by up to about 9%. If people agree that this is a good idea, I'll open a PR upstream.
Proof sketch
For i in [1, u] let
P_i = lift_x(int(pk_i)),
r_i = int(sig[0:32]),
R_i = lift_x(r_i),
s_i = int(sig[32:64]).
If there exists an i such that lift_x for P_i or R_i fails or r_i >= p or s_i >=
n, then both Verify(pk_i, m_i, sig_i) and BatchVerify(pk_1, ..., pk_u, m_1, ...,
m_u, sig_1, ..., sig_u) fail.
Otherwise Verify(pk_i, m_i, sig_i) fails if and only if C_i := s_i*G - R_i -
e_i*P_i != 0. We let c_i to be the discrete logarithm of C_i with respect to a
fixed group generator and define the polynomial f_u(a_2, ..., a_u) = c_1 +
a_2*c_2 + .... + a_u*c_3. BatchVerify succeeds if and only if f_u evaluated on
uniform randomizers a_2, ..., a_u is 0. Assume there exists i in [1, u] such
that Verify(pk_i, m_i, sig_i) fails, then f_u is not the zero polynomial. We can
make the following inductive argument (similar to the Schwartz-Zippel lemma with
d = 1, a_1 = 1):
u = 1: Pr(f_1() = c1 = 0) = 0
By assumption.
u > 2: Pr(f_u(a_2, ..., a_u) = 0) <= 2^-128
We can write the polynomial as f_u(a_2, ..., a_u) = a_u*c_u +
f_{u-1}(a_2, ..., a_{u-1}). If c_u != 0 then there is at most a single
value for a_u such that f_u(a_2, ..., a_u) = 0. Otherwise, c_u = 0,
f_{u-1} is a non-zero polynomial and we can apply the induction
hypothesis.
qed
Ping @sipa @real-or-random
Metadata
Metadata
Assignees
Labels
No labels