From 255b5b67c09879eb9d3e731ce45493ded9be87c9 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Mon, 17 May 2021 14:37:12 +0000 Subject: [PATCH] BIP340: remove batch speedup graph and link to it instead This avoids having to update the BIP with a fresh graph every time there's a change to libsecp and suggests that the expected speedup depends on the specific implementation. --- bip-0340.mediawiki | 4 +--- bip-0340/speedup-batch.png | Bin 11914 -> 0 bytes 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 bip-0340/speedup-batch.png diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 1de7faa5..b5a47d32 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -56,9 +56,7 @@ encodings and operations. '''Schnorr signature variant''' Elliptic Curve Schnorr signatures for message ''m'' and public key ''P'' generally involve a point ''R'', integers ''e'' and ''s'' picked by the signer, and the base point ''G'' which satisfy ''e = hash(R || m)'' and ''s⋅G = R + e⋅P''. Two formulations exist, depending on whether the signer reveals ''e'' or ''R'': # Signatures are pairs ''(e, s)'' that satisfy ''e = hash(s⋅G - e⋅P || m)''. This variant avoids minor complexity introduced by the encoding of the point ''R'' in the signature (see paragraphs "Encoding R and public key point P" and "Implicit Y coordinates" further below in this subsection). Moreover, revealing ''e'' instead of ''R'' allows for potentially shorter signatures: Whereas an encoding of ''R'' inherently needs about 32 bytes, the hash ''e'' can be tuned to be shorter than 32 bytes, and [http://www.neven.org/papers/schnorr.pdf a short hash of only 16 bytes suffices to provide SUF-CMA security at the target security level of 128 bits]. However, a major drawback of this optimization is that finding collisions in a short hash function is easy. This complicates the implementation of secure signing protocols in scenarios in which a group of mutually distrusting signers work together to produce a single joint signature (see Applications below). In these scenarios, which are not captured by the SUF-CMA model due its assumption of a single honest signer, a promising attack strategy for malicious co-signers is to find a collision in the hash function in order to obtain a valid signature on a message that an honest co-signer did not intend to sign. -# Signatures are pairs ''(R, s)'' that satisfy ''s⋅G = R + hash(R || m)⋅P''. This supports batch verification, as there are no elliptic curve operations inside the hashes. Batch verification enables significant speedups. - -[[File:bip-0340/speedup-batch.png|center|frame|This graph shows the ratio between the time it takes to verify ''n'' signatures individually and to verify a batch of ''n'' signatures. This ratio goes up logarithmically with the number of signatures, or in other words: the total time to verify ''n'' signatures grows with ''O(n / log n)''.]] +# Signatures are pairs ''(R, s)'' that satisfy ''s⋅G = R + hash(R || m)⋅P''. This supports batch verification, as there are no elliptic curve operations inside the hashes. Batch verification enables significant speedups.The speedup that results from batch verification can be demonstrated with the cryptography library [https://github.com/jonasnick/secp256k1/blob/schnorrsig-batch-verify/doc/speedup-batch.md libsecp256k1]. Since we would like to avoid the fragility that comes with short hashes, the ''e'' variant does not provide significant advantages. We choose the ''R''-option, which supports batch verification. diff --git a/bip-0340/speedup-batch.png b/bip-0340/speedup-batch.png deleted file mode 100644 index fe672d4ade832463c152b8666c8d94a8a0559f4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11914 zcmd6Nc{J2-{O<^jrOYHt7>rVctYym>LqaM0E+n)lA<0gIj3p*QmdH|MUrH)#_AS}T zzGq*@&fI6DZ{2h5xqtl5{o@|aF+TG=@8|uzm)Cpy_^V%6I!ePz1A#z}swiL5gh0rV z5Xd2YDsu27Gu2)m0wKGiuBxp_BoZNSzz@XK)RdEx6OBeMEG#rPH^;}vhlGR-4i1)< zmS$&XdwF@4l$5+7BHf5`O=UUd#PT-MJy{LzOf~~F(bZ_BYMes zc|p9)h+bx8q>pk8UJT$DqGK(DSC{L5)Bh6EHjkYrzJE5DV}h zgxCeio}VWcl+X8Lhls>QoyE-V3H&^MQB)M%aeREdv9YnNtSmo2KPoE9)6>(+%Iey+ zYhq$ztgNg+CUQeRfF$1X@p%&4!ENNcNM{I}d6jt)AzpICG9>2iaBVH5Ob!B>pDzRF zf#;+@kT-9D@Bo8E0p*ZN@QKVp^STy9Zlc=?{6lT4Z14yIp#xvgRg#7C)3HGyNQlZM zjJ8wk+-n1Dx^$l63P#}6x6{?Re;D^VMc<#|1TkBa!7`kv z0##>-*T67Xk~3b?5Lf?y`oZVqS?dvABUhB*nyhp9yE_ptr|vBgvI6y{d7>wS#{@=N z1#I>(^{FM1Jab}$d>VI0nb#>9eNOtX$f%7vt!lGA=fKbCf0=F@+1$lIx70`yC&ynJn1`#Nax*&jJ^C9!511vFHuqlSEjy*NYWA5I$JB=B86!* z8vV!|+%c=kN%fHFd1#AkG*l2Va< zy+}xs6wH&E-}C57*X%58&uAdbXo!ijF}*4w@+;H7{pfY~My43|xoep%`BqV96xuTr z+}Bl_7HAbOG<9qUd&p3=qI;m6(xIhsQ<|6O+E4MfrJm0|?@1?Zq>Ud+?Rw_4lOi## zw`lVqI0n6L^`Rw0tcmlcSV42+%w>Gbq0x01wz4A0X2)Wn_sH}!aIIUIt@*I%rht0` znlJMUp2ONs6eH(a6&4dl$GZ6I*Dy)yyQ&vi>ZZ@BPMW_s>dB>z|MAOD-+4X9h-GEZ z-^RENg$pcl7nKN$@Nnl~Ix&Ezw@4LNb%>^%jx1?j^Gw~wDgge6eLwW$p4&6#1L{_{ zweua=+?=*oyR1E@gJ=5V%l zZ1)tVk*efvdQVX9bokQtY>vcZxW%j0pnKw9-!;-UO&6=-6OF#m$~wgExnv5q)Yfki z9NF&9@->uX(a@q{%6AJ3 zotqw?rYx?v2poGpDMbt9*%sX?>=yo5ek~e!3d59ns^KFG6lBHOo^b z+)=x5H~3hxT~vFzT=6;FsGH=Fu)$L6lpX&3mCLlMgGAJI^Sxi<9VL_b7M5QJQ#~EI zln324AGshbLXZ_2!47VS%CQq3#g6_9ZmCggAN;OVr$nFM&JC@*H0_*Kl(tHgxq9X==Eff*Eq9C zz3g0?$J`Dd*T|t>UiZ*>e%hG8Pz8N8iJaO+Ur*sZB}rMA*Swvp_euSmj~1T6NhCsx z!P&`Azh}F`P))<wfi$&rCSw%vgbX+xvQee(!qG%=KMY78w7%Q2_||K`iiwQv#;we{*A}4L1c$0Tz*fAugK4K7{1#TP$z=VJ;fL)PYn+QjsN)eHP^o z`4!7ET>30!+kKT%>mx~M3M}`hnMRAOM#WM zV3s8YoL$#p=R9@p*`V_k?L^`j|4KUcIM!{k-rnJv#nJdDI&b4A1_tjN7&qM}|4*?b zsqs*V7=@^9xsSjM)@KjJUVY2U1|**U2*0yi{Ln%J^ODD27r%P3SC|b?6VGr}#Wt@< z=btmeuwxtF#ecSRUSw}lJ!~r)@%KwFilC2syS*N}u}CSCL1@yplojoFPX7AGW%>;P zNKUcTX{TXVbj5uM-A~MgC7G*Ao-#YRT*|U*xAM?4AK_z{oM-+T#Ere(?e#%VqBy%0 zSFQDkQt5X6tEKY$J)5_LNM?Cpowkf=gdAjTFM_^ti$&=o<)*^!?6osf^-W}2uZcmN zy$uLvZiNO@{#sKBrRG+Nf$Yt1lEx+)eP*jUADFEra*Xy6|Jkz{EXgmkzv%1J{^iMk zjxZK#nOch3x5zA}jfbB&`Ec|I=qi=gUw_FdJBHGRdmdP3x$inh+bLDx4&EydQPX}j zi4>JLQQ!VCJ$mkVuaPr=PpJAVOIT3(J z#wW}Oj5a_R<0^~W$CCeog)NoGKO!RA%9+!z{by)qJe@!i zMSmPLzh;djaX^0S$2*__`$rkm$KL%VzeqbFmL2ie@3DKqkAcX6=l`;qn@Pa(eyZ{X z0{Dv&>5?aIu>6B2V*9JviF?mE%cFpR>}k(nCENey=*=wwoEG5p;cqqH+30GKO(S?! zOpstGFc)dHLgv?`10O#eB+g0ar*|}xqHfS>vVWK1XnYTSq2>V7e}?u$kbL8MHPTTIy0HoE-l8O?HX-M8#aZ^gN`ThEL-aq8uZHX5{&m~|2Q3anJ5f&3l z1VbwOw?*gvQ<9wRT8q6RzN;H{s~VcGI1y3|IXL6n?p^edaQWL&Ds`t1;Kc@df6hJ-S z_kHS1fEtheIzg=&%9CMAzH>U9C*RtE5{hxTjIHe1GQUmcsWQ%@noZd?(l(ZKi<@eu zI}NPL{u6Co-%?|C+HRdxX62EFz90vY!z_DM9>442b+O^_D3>nmma}lDW?aRpq3uzn z%X&G-?oy)Y5~+llD=X@hYP9hJx8qX1KOsm?Op2d5dWQ4%U;R$dYQ8+0q4n67X_OQp zfoKn{T~U+Z^c$d=7hnroHxE~gPC1s&WtQ<)CIEvUje*(T?lF^5c_>5{In8~;4p*AQ zU$LR=a*((Xi{ds`^du!RUe)fA|!6w8gc<|R}{eVY1sFizl%J_M5UzSNI z?LQjRPj%)&y@S&9#>_4$2pk--7-{i?93kZ>N=2_|Y4Jk}XAX&_`R7dXSs&g>iGdX-9zSt_8ROn~snZLAzJ4f2cWh@;?EcnTO7G#C+aD+@)1J(75s($ufo0o&uaiDu zo%_d4Bl!A&Hkh`{XIqm9%`0e))Iwi(C(6!yy+IWI)7O;fEvrV?&Cd#co|{dw+}TB{ ztT^}Psj@V9=Q6P!7(t=oP(+Pvbz_LPu&Fd%Y*pcb|CS}Zt!tPw`~mDwFA4z_A&&QX zZETi)G57zBEGXc}(Qxpsvx7fMVh+~2F3LDI@0}h27eYXP_v!~~Yfz|jp4ND$q0Acur zacs>`_DmyKGvhm&Ou{{chaWAt7)ph9vXolx@m>w< z*lCKORJ&5;iLj9!N>x)3Qr4^<|1O2=F>`C}@s`+BxglJo?KbIOk^amCpYba@@?`_p@NfbK_e-kcc&DX9Rc6;B5JR zB2yNoxpZP(>HBa_*XL1?zKnSz@+l`n!fTfLTEd6h?eH+sEzGkX8-Wk)pThU<6U)4h z)OfO@lEsX7dM1L9o82LG-d*zeD()asSp9+&vnCjfl`7P_TOY3C^8O%5a z_qu@AuejPZ*D>zbp12=HzGHO@dPBioiD!yyX%XPXM&eNw#9Vh^c*1!0v9WFB)j_Ay z30iL{K~ly|!Vi7-(??M6I6og9zi)D&v5aEmG!(HGeZ5s|Ampm^R_PaemL7n&Ypk@P z)s|5@$5OZfjBLpB0>Rb!jwXI!vRE*7XZ{ByQ+X7YZ+Q$C8sd#7kta#{c!Zks8xl>= zr@Cs9xCpL>y;WvA*wTTSN-y zrw!Bo<0M!cg%128^DBN=gISJU;kV&eBkJjWA8MgI4n)3Tobhs7IDuyQgiLG2xm%ce z(VM$2@9VYxIN^`}XK6L}ap9LOSx`j&?muv|Hxt8Q+ikt~^!@n&f+S9~y0nE6@Jbt+ zj;udHT(xa5$5ma_`3Iojg&Ykk(ksCNixHy-;jl~#1=9Zc2_4;~c36uPl~|6ENv?m2 zOX2B1$&S^lCTOzOLFJ@+*G~^0jQL$xZ2D*ChcN9|Ahh!6HIXxw>CwM4*wr9{mjzsi zYANl^Z+)?cWkSd7??XU6Qk3SO_x;>qJ=<=6u%0))?;9+|$4Te-Z!KPd;l>vI;o0{N za+L?N$QPqL2WuH5SZ|br@+kXWqCkrRC;y*qW(zu~AxWI)5mRy$mIUa(LCU(ggy7YN za0OX^MVDNNnE-~}SI7!-i&x2zlsbVlTPdRv3DJ7@O3pj`uk}__TSw*ygQfCRy ze`VD;Bc*LR*9eXVvI$dhVW{pY8a6+yC-JF5q@lkk!>e@cG0Dn0FFJ&UoWhnFzWSOY zqwW;F^L)Ke#F+msNUV`h$G0l_cJ{C&lJC!SRqK-SIWYy>_sQRC!W`$mfych1BV+Z5 z%KIqU{5FK0c;vSR?^Rn`yD!_}#rm7BTPK+B8GuAW*(`T$stM}!s1H6dik!N=b)sn8 znG^{?ob>q5Z#57B(1At6L-#^C0Z z&{fZ49!^^@1dUp894~lG9V!v&DAbUDJGKaIP_e2KOZU!rBEhB5(k;&%bulC4C8qG=_2v#OO<+`l& zP)?TxE?mMiE-a4Cyu~XwA}{hbNt@ioK`|Oky_SspYWtPHE#pW#xv{TJ!)oHuCfH2P zyE20yS|ENhE%wePXg8l7$rp?6R3uT~bf5(N2fR{3KFsEKrC+A*-4Dyr{dx*?7l!O9 zX=7l*U87{AYQI*@c_TMO1fYl88~h`p4Rqrw9|PGG0JNv_1=e3Y$vo@!i_xs2o(K?c zS9OE3@3op5zWC3%B#FANMzHR)uE!*2tK4+LqyV&L!23vsI>o&^Pm$th^bXsIUT|O$ z?z%<78r%5?j=NsPtr9l{lvyJ!broYny?$o`Sh0tB#hYGDBPqZbM^#){-hM=8T+A=i zzZ!LXy5t6Min!#IxfGhmp&l^#j*4?_Y7DwtFN{QNZJl{s%3Pp>1~!=1nuq&f=@;Sn zf#BuMQ9~lN06iO6)Y!JM1f}7W>rUbalm-HIUM;9ht}0OGD*OO?bU|=8N0p|)i^iQu zHZg0`Iy^xhytUD=VNunl$9@Ak%gD0-#f=~1i!@oR?1xDHezw79JLrjUmzFZ>(6-fW zK$pe*t%kwnj9{<)S9y-Jr-U)aqG$t==jJH7lZQNn@?7rxh(_jUugf-4*6F~x79aUD zqV^u=@TARet5ww;z;tGr!Rwe_hDtSH8g8NAi%!uNjeoP;u1v?z+6K)}5Gd~#t<4l& zdhM-$YwhWK8J}~cXm7UrHeN~g&~ebinR3aO%?lGSe@c zJay0_`_b=`?6*MF7NlCT zP|RLZftdmgg8D|?am6KQdYEmr*}GCPZc=e)BmJuaU|NRl1`F64yYyMV|NWWL=BlkX zr6qlwhI?u4eI8aH=3ADB ziBib4SLgwuE8|m9)ae@+DqV{CRI}8#{0uWCoLe-FX_(<@ekrQgbyWjSrrkbST1xH0 zSDUhltb0!J)WM5V7Ua#K9r)dej=shfe0LJp6n}$=1jVE#rEj(o%oAMp2zKZ~Uz3RGqV^_U9kpZShDg3u!$VVpEm|y& zzgfVR-b-sdsJo@Gd*0*2I#=B3AMp=B0(E35PK_a$ax+K}N;ITe{u<$mWFKm{vqDyW zBApbA5o?BYxryFb2eC(>NL`^+tEM4mH+fA?=X#EE)A`M!Py_z90ebXK3et1KLRtm= zY|D;30=pyAk&Jqu%%RGH+4~~p5>c|`(G*!l@Yw;q*qd2UAN%_taE%1P7z!$>Np+t& zfN@r)7+CFCH>nN*vfPkM;0j*d#>^%qrSk(rf}=HfL$>VL05E~#7&RnQLq}4d3Eqk5 zudf6l6;VIk=PEB1(&g<3mkJXw^bq-045fKOUTqjs*1O`kKmj0hwn|jOm5yQlaL~s% zuW37p>u!mQRQo9$>%(cXCsJ!5{~U?kQr+?>14S_vp?|=w%pjQjwb1IyrVawV8atUZxBaGHL|Vud_S$n<5tn z?}w1!tPBtwR^_~uKx(nO){*zib~#nGrBp`Y+5 zE~d$wa5N=oD;!3Z(fhEFK*GK!K9R$mF_(i^=15H^`4OpZQga*h*g@q~*is&Ti_{{I zFA zj-TZ2AWM4$ryWcn&yqJu^yX(Fkuxo?t{iUZDD^BzSCHzQN&Z9BBefUs$=GB7ccy1ay%s(A+smPC0OE_T$8|P;-@c>%$(fgs6COd z*^KU>h#WxmxTPZLN#M%FE!Gw?`4A&0!fql$lQ?^r&h_XcyvxKfmJ2ky^v#d0VqmXz zW#Sf0G9=H&po$dhKF2c$ee5oqdh%U@GZyQWazuy(JnNFm3@l=F?q<{8H{)#so;BYm zGp4ys9qY!KyAoixLRN5Pf0P2C0HK0jjOv|z9Za!laltcR(N;XtPyOPP$8M*|5NluT z)9Pk)+$o*IYMAX3icEjh$ZF$L9xWMX7|~!yAKERx=j}e{NeA@kcMZPZar?OJSk@vT zx%mTmUqX_cl;++PDgm}!Z{K*d{Nu968_w;;BOpIGgX5~%Ay|*Q%MqwpO)#R3j<*ut zmSoOvwmr{6tYSA7SbsH(7h#K-u*Uokp&$s4GhQ7^ZRR4SpmeUe)aH#FW_w#7m%sh` zRZohJjF`Q=BhD+u@r3qKSp4kGFozC>&u5ff9aT_i_a-I`wyL);m{Ks;8BePP;loX~{V`C~smC83 zsaALPQ+U!`rboWCap*A69g?Dl`2J{zLKJ->Qs3yhHVpT80CfK<8}QLy5Xg}x(z^f} zn8Q9wdU)$%x_!}PPtxYC{5&PSSqLM|WA1987(yp$HRo8&L5+DZ=i*ZyubTkefyvSD zu}m#OXh(ewaEOIluyrUH@La+OJC6l&0&6F^q>msDUBUnFtjctCsOB6%C@$JW7hW{A z2K<9W+!RADEa!F!;{hAg5LNcS! zK)n>BI9Y44LiQQKMk=U*9*#dlwhc2@+TZ`p)&7tQe(5$R3|cab|; zqxPF-rSlhL`vmzRDGvbd;2xwMap!QsSsWm|x#S^TCc^EbCTa4rpnZpX{!9!*7%gti zkVQ&4{@pXrhcmH}Farj3in687?^_i)2v@AxQ^Ixf>OR7j$2e`sRQ8zH9hliOM49KXW4Vp+}s;f^R9SXVS)EJZOX?|Rf zi(Bjb_d~HwkMRnAhi{71Iv*S)B>^pOf3|auzqb6;WDe69&2Kv(4MG+1AL3m0n?2XV z(LgwdfH>`_LX+ZLirQ>MMQOWF(Nf zfBDh>r2geKQo2YJXt`qcNNZovMu(Z{IeqrY0Rujp>WjW? zd8UI?mW<*2F|ZuHvA;I7NitW4Lz1)O`AF$)^~xoExV1;wl@3ylM)HZ#OeB*8C#Vou z|5Ip#9>&4xEh&QUFkB+2%amWm2yBxDer!I_R^b!mbF+c}%tshT}C*(gvqMD3I1udgie<&v^2aRl5ev80|16F(IDBSt}N= zB-t7goOBCZ&t7oe-2FMmJ-xta8K-l1mw1f85vWWn%4+f+xknaLbr&=8;*hC9qD?-% z@9A2LwP96w6^s=VPGxTjzo{! zhwkS|8B=+m4UvMmTc}WCZQSOs+I!Fec=_dHpKc zuJ43aOzY89U5d>GWQ_t1wY+b~l8#xWqG3UdzYIHtNKEL~J9Z<>{)#e+g#0w*)7)Ij zvmhB7VBxNj0;hY+Tq(QHT02KrxCyS^u+l0Lunc)va`JkoU1)W=C(A;<>pSf zg&U@;>MzL`sY8p~e33~CY#f^am;ZUeLJi-Q{u5rwiCXm}9OTjFue~#9Mp`D4T8SMn z0G0=5`MqzqZ^_n|ZF6vqjb5`l>H$ zy{F4%_jCrja%5oEF{vf4v(%L3rYU~+cEr&Ce7`&Hv6+MKscbXCv50ly&o>tGvk6;Q z^*wP_#XWPElTeuwCgszo1Qu@Ee;v4OIzx!e*@FkV=J!6o>}p8#u=II=Sse6KX9#)0 z=#yWRC|Q$*46uK+L9y8&Iu_ilsLRj*gj8_q3%URsa57{(jFEAC;Q#U#O*f;@20V+` zJ+6ywA<{M?Lh6}`sI`QUVj zS&pgy>}6UFd}FL|#HMg{G*4(qL8y{&clIU6Bwt?T?V5?^Q$C zymW$b?A}R6pJVLiuN#vT1TH$A#qFp%`CM*xNT zyx%w`sd86#AS&ECo+mhvT_-QAG55(_0`5u2bfkg7+P1@soXRgee6@C=qBb^yG@36r zSG5wS*8DEF-BBxuE^2fd~HbaY<(tqUEjih4hyG13fVTztY zy}ZnPr0;kibiTTb&olU(=t4!GqG*tPSA!*`iI2I;vOPmv@qS#Y>Gk^g{w6KOd=|b2 z$EL=auPOsssf0p)!D%i{Eg`|McURjZ?nE>z%|*Mo6H4Tbvg)jKx3bzk-7!sfcioLX z`?JW(@R|oyEAb(G@ysPksq4jG&RaKX;|ps8L{;)rS%%tS%M&nXjdun=RWFPfrmZz; z#CEAMCY@8x)ZFcK)PLEYec8^~{VKQ0%DsWC+4+&Fd#bQNZ|AhMdmvqQP4T76_>zvXCwELZ)=pB$RBK{_ z+cIVlm~U|Ly5fBkOp;{H&{fC zszIPr7ZbPjiMg{U3y?Zut~MVHZ7_L-QL;jxkl-#ZrsX*$l$)JD`EfQFZT#^M+YTd% zgSwTpm}rgSDDPEICnyFdg)>;McMyk8b^a{sH)VRRH*5D*#kZhi8Zl;M9gj5F>@b`} z*4r3jT3ds{qS-IeVxAT2+eMF8T)Cq^TU9?(&YH`dK8St!_&vAE&l~D(j_!m6`QA6V zVSRywOaf!F;1@n+M#9%R2cZaiulZEDzS%m~V51