From 0d2b7f971d0d6a727a722bef04cce0c1078e5443 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 22 May 2021 03:59:50 +0000 Subject: [PATCH] bip-340: reduce size of randomizers to 128 bit and provide argument This (currently) speeds up batch verification in libsecp256k1 by up to 9%. --- bip-0340.mediawiki | 2 +- bip-0340/batch-randomizers.mediawiki | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 bip-0340/batch-randomizers.mediawiki diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index a67afe36a4..eacc71737a 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -201,7 +201,7 @@ Input: * The signatures ''sig1..u'': ''u'' 64-byte arrays The algorithm ''BatchVerify(pk1..u, m1..u, sig1..u)'' is defined as: -* Generate ''u-1'' random integers ''a2...u'' in the range ''1...n-1''. They are generated deterministically using a [https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator CSPRNG] seeded by a cryptographic hash of all inputs of the algorithm, i.e. ''seed = seed_hash(pk1..pku || m1..mu || sig1..sigu )''. A safe choice is to instantiate ''seed_hash'' with SHA256 and use [https://tools.ietf.org/html/rfc8439 ChaCha20] with key ''seed'' as a CSPRNG to generate 256-bit integers, skipping integers not in the range ''1...n-1''. +* Generate ''u-1'' uniformly random integers ''a2...u'' in the range ''0..n-1'' or alternatively in the range ''0...2128-1''.Integers are not required to be larger than 128 bits to achieve the desired security level of 128 bits (see [[bip-0340/batch-randomizers.mediawiki|lemma]]). Shorter integers can speed up computations in optimized implementations. It is recommended to generate them deterministically using a [https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator CSPRNG] seeded by a cryptographic hash of all inputs of the algorithm, i.e. ''seed = seed_hash(pk1..pku || m1..mu || sig1..sigu )''. A safe choice is to instantiate ''seed_hash'' with SHA256 and use [https://tools.ietf.org/html/rfc8439 ChaCha20] with key ''seed'' as a CSPRNG. * For ''i = 1 .. u'': ** Let ''Pi = lift_x(int(pki))''; fail if it fails. ** Let ''ri = int(sigi[0:32])''; fail if ''ri ≥ p''. diff --git a/bip-0340/batch-randomizers.mediawiki b/bip-0340/batch-randomizers.mediawiki new file mode 100644 index 0000000000..32ed6a07dc --- /dev/null +++ b/bip-0340/batch-randomizers.mediawiki @@ -0,0 +1,16 @@ += Size of Randomizers in BIP-340 Batch Verification = + +'''Lemma:''' For public keys ''pk1..u'', messages ''m1..u'', signatures ''sig1..u'', the probability that ''BatchVerify(pk1..u, m1..u, sig1..u)'' with uniform 128-bit randomizers succeeds and there exists ''i'' in range ''1..u'' such that ''Verify(pki, mi, sigi)'' fails is not more than 2-128. + +''Proof:'' For ''i = 1 .. u'', let +* ''Pi := lift_x(int(pki))'', +* ''ri := int(sig[0:32])'', +* ''Ri := lift_x(ri)'', +* ''si := int(sig[32:64])''. + +If there exists an ''i'' such that ''lift_x'' for ''Pi'' or ''Ri'' fails or ''ri ≥ p'' or ''si ≥ n'', then both ''Verify(pki, mi, sigi)'' and ''BatchVerify(pk1..u, m1..u, sig1..u)'' fail. + +Otherwise ''Verify(pki, mi, sigi)'' fails if and only if ''Ci := si⋅G - Ri - ei⋅Pi ≠ 0''. +We let ''ci'' be the discrete logarithm of ''Ci'' with respect to a fixed group generator and define the polynomial ''fu(a2, ..., au) = c1 + a2c2 + .... + aucu''. +''BatchVerify'' succeeds if and only if ''fu'' evaluated on uniform randomizers ''a2, ..., au'' is 0. +Assume there exists ''i'' in range ''1..u'' such that ''Verify(pki, mi, sigi)'' fails. Then ''fu'' is not the zero polynomial and by the [https://en.wikipedia.org/wiki/Schwartz%E2%80%93Zippel_lemma Schwartz–Zippel lemma], we have ''Pr[fu(a2, ..., au) = 0] ≤ 2-128''. QED. \ No newline at end of file