From 91cea992600d8b8d4dfdc7628fad0335d030757c Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Thu, 18 Jun 2020 13:34:25 +0000 Subject: [PATCH 1/8] Add scalar_chacha20 This is in preparation for schnorrsig_batch_verify. --- src/scalar.h | 3 ++ src/scalar_4x64_impl.h | 89 +++++++++++++++++++++++++++++++++ src/scalar_8x32_impl.h | 95 +++++++++++++++++++++++++++++++++++ src/scalar_low_impl.h | 5 ++ src/tests.c | 110 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 302 insertions(+) diff --git a/src/scalar.h b/src/scalar.h index aaaa3d8827..4b13bd7bea 100644 --- a/src/scalar.h +++ b/src/scalar.h @@ -102,4 +102,7 @@ static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_ /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag); +/** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */ +static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx); + #endif /* SECP256K1_SCALAR_H */ diff --git a/src/scalar_4x64_impl.h b/src/scalar_4x64_impl.h index a1def26fca..fa9ea89a1d 100644 --- a/src/scalar_4x64_impl.h +++ b/src/scalar_4x64_impl.h @@ -8,6 +8,8 @@ #define SECP256K1_SCALAR_REPR_IMPL_H #include "modinv64_impl.h" +#include "scalar.h" +#include /* Limbs of the secp256k1 order. */ #define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) @@ -865,4 +867,91 @@ SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) return !(a->d[0] & 1); } +#define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n))) +#define QUARTERROUND(a,b,c,d) \ + a += b; d = ROTL32(d ^ a, 16); \ + c += d; b = ROTL32(b ^ c, 12); \ + a += b; d = ROTL32(d ^ a, 8); \ + c += d; b = ROTL32(b ^ c, 7); + +#ifdef WORDS_BIGENDIAN +#define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) +#else +#define LE32(p) (p) +#endif + +static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx) { + size_t n; + size_t over_count = 0; + uint32_t seed32[8]; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + int over1, over2; + + memcpy((void *) seed32, (const void *) seed, 32); + do { + x0 = 0x61707865; + x1 = 0x3320646e; + x2 = 0x79622d32; + x3 = 0x6b206574; + x4 = LE32(seed32[0]); + x5 = LE32(seed32[1]); + x6 = LE32(seed32[2]); + x7 = LE32(seed32[3]); + x8 = LE32(seed32[4]); + x9 = LE32(seed32[5]); + x10 = LE32(seed32[6]); + x11 = LE32(seed32[7]); + x12 = idx; + x13 = idx >> 32; + x14 = 0; + x15 = over_count; + + n = 10; + while (n--) { + QUARTERROUND(x0, x4, x8,x12) + QUARTERROUND(x1, x5, x9,x13) + QUARTERROUND(x2, x6,x10,x14) + QUARTERROUND(x3, x7,x11,x15) + QUARTERROUND(x0, x5,x10,x15) + QUARTERROUND(x1, x6,x11,x12) + QUARTERROUND(x2, x7, x8,x13) + QUARTERROUND(x3, x4, x9,x14) + } + + x0 += 0x61707865; + x1 += 0x3320646e; + x2 += 0x79622d32; + x3 += 0x6b206574; + x4 += LE32(seed32[0]); + x5 += LE32(seed32[1]); + x6 += LE32(seed32[2]); + x7 += LE32(seed32[3]); + x8 += LE32(seed32[4]); + x9 += LE32(seed32[5]); + x10 += LE32(seed32[6]); + x11 += LE32(seed32[7]); + x12 += idx; + x13 += idx >> 32; + x14 += 0; + x15 += over_count; + + r1->d[3] = (((uint64_t) x0) << 32) | x1; + r1->d[2] = (((uint64_t) x2) << 32) | x3; + r1->d[1] = (((uint64_t) x4) << 32) | x5; + r1->d[0] = (((uint64_t) x6) << 32) | x7; + r2->d[3] = (((uint64_t) x8) << 32) | x9; + r2->d[2] = (((uint64_t) x10) << 32) | x11; + r2->d[1] = (((uint64_t) x12) << 32) | x13; + r2->d[0] = (((uint64_t) x14) << 32) | x15; + + over1 = secp256k1_scalar_check_overflow(r1); + over2 = secp256k1_scalar_check_overflow(r2); + over_count++; + } while (over1 | over2); +} + +#undef ROTL32 +#undef QUARTERROUND +#undef LE32 + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/src/scalar_8x32_impl.h b/src/scalar_8x32_impl.h index 62c7ae7156..61c1d96fcd 100644 --- a/src/scalar_8x32_impl.h +++ b/src/scalar_8x32_impl.h @@ -8,6 +8,7 @@ #define SECP256K1_SCALAR_REPR_IMPL_H #include "modinv32_impl.h" +#include /* Limbs of the secp256k1 order. */ #define SECP256K1_N_0 ((uint32_t)0xD0364141UL) @@ -732,4 +733,98 @@ SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) return !(a->d[0] & 1); } +#define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n))) +#define QUARTERROUND(a,b,c,d) \ + a += b; d = ROTL32(d ^ a, 16); \ + c += d; b = ROTL32(b ^ c, 12); \ + a += b; d = ROTL32(d ^ a, 8); \ + c += d; b = ROTL32(b ^ c, 7); + +#ifdef WORDS_BIGENDIAN +#define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) +#else +#define LE32(p) (p) +#endif + +static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx) { + size_t n; + size_t over_count = 0; + uint32_t seed32[8]; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + int over1, over2; + + memcpy((void *) seed32, (const void *) seed, 32); + do { + x0 = 0x61707865; + x1 = 0x3320646e; + x2 = 0x79622d32; + x3 = 0x6b206574; + x4 = LE32(seed32[0]); + x5 = LE32(seed32[1]); + x6 = LE32(seed32[2]); + x7 = LE32(seed32[3]); + x8 = LE32(seed32[4]); + x9 = LE32(seed32[5]); + x10 = LE32(seed32[6]); + x11 = LE32(seed32[7]); + x12 = idx; + x13 = idx >> 32; + x14 = 0; + x15 = over_count; + + n = 10; + while (n--) { + QUARTERROUND(x0, x4, x8,x12) + QUARTERROUND(x1, x5, x9,x13) + QUARTERROUND(x2, x6,x10,x14) + QUARTERROUND(x3, x7,x11,x15) + QUARTERROUND(x0, x5,x10,x15) + QUARTERROUND(x1, x6,x11,x12) + QUARTERROUND(x2, x7, x8,x13) + QUARTERROUND(x3, x4, x9,x14) + } + + x0 += 0x61707865; + x1 += 0x3320646e; + x2 += 0x79622d32; + x3 += 0x6b206574; + x4 += LE32(seed32[0]); + x5 += LE32(seed32[1]); + x6 += LE32(seed32[2]); + x7 += LE32(seed32[3]); + x8 += LE32(seed32[4]); + x9 += LE32(seed32[5]); + x10 += LE32(seed32[6]); + x11 += LE32(seed32[7]); + x12 += idx; + x13 += idx >> 32; + x14 += 0; + x15 += over_count; + + r1->d[7] = x0; + r1->d[6] = x1; + r1->d[5] = x2; + r1->d[4] = x3; + r1->d[3] = x4; + r1->d[2] = x5; + r1->d[1] = x6; + r1->d[0] = x7; + r2->d[7] = x8; + r2->d[6] = x9; + r2->d[5] = x10; + r2->d[4] = x11; + r2->d[3] = x12; + r2->d[2] = x13; + r2->d[1] = x14; + r2->d[0] = x15; + + over1 = secp256k1_scalar_check_overflow(r1); + over2 = secp256k1_scalar_check_overflow(r2); + over_count++; + } while (over1 | over2); +} + +#undef ROTL32 +#undef QUARTERROUND +#undef LE32 #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/src/scalar_low_impl.h b/src/scalar_low_impl.h index 7176f0b2ca..117c1a585d 100644 --- a/src/scalar_low_impl.h +++ b/src/scalar_low_impl.h @@ -136,4 +136,9 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_sc secp256k1_scalar_inverse(r, x); } +SECP256K1_INLINE static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t n) { + *r1 = (seed[0] + n) % EXHAUSTIVE_TEST_ORDER; + *r2 = (seed[1] + n) % EXHAUSTIVE_TEST_ORDER; +} + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/src/tests.c b/src/tests.c index 6ceaba5e31..d742fa1c82 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1732,6 +1732,114 @@ void run_scalar_set_b32_seckey_tests(void) { CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); } +void scalar_chacha_tests(void) { + /* Test vectors 1 to 4 from https://tools.ietf.org/html/rfc8439#appendix-A + * Note that scalar_set_b32 and scalar_get_b32 represent integers + * underlying the scalar in big-endian format. */ + unsigned char expected1[64] = { + 0xad, 0xe0, 0xb8, 0x76, 0x90, 0x3d, 0xf1, 0xa0, + 0xe5, 0x6a, 0x5d, 0x40, 0x28, 0xbd, 0x86, 0x53, + 0xb8, 0x19, 0xd2, 0xbd, 0x1a, 0xed, 0x8d, 0xa0, + 0xcc, 0xef, 0x36, 0xa8, 0xc7, 0x0d, 0x77, 0x8b, + 0x7c, 0x59, 0x41, 0xda, 0x8d, 0x48, 0x57, 0x51, + 0x3f, 0xe0, 0x24, 0x77, 0x37, 0x4a, 0xd8, 0xb8, + 0xf4, 0xb8, 0x43, 0x6a, 0x1c, 0xa1, 0x18, 0x15, + 0x69, 0xb6, 0x87, 0xc3, 0x86, 0x65, 0xee, 0xb2 + }; + unsigned char expected2[64] = { + 0xbe, 0xe7, 0x07, 0x9f, 0x7a, 0x38, 0x51, 0x55, + 0x7c, 0x97, 0xba, 0x98, 0x0d, 0x08, 0x2d, 0x73, + 0xa0, 0x29, 0x0f, 0xcb, 0x69, 0x65, 0xe3, 0x48, + 0x3e, 0x53, 0xc6, 0x12, 0xed, 0x7a, 0xee, 0x32, + 0x76, 0x21, 0xb7, 0x29, 0x43, 0x4e, 0xe6, 0x9c, + 0xb0, 0x33, 0x71, 0xd5, 0xd5, 0x39, 0xd8, 0x74, + 0x28, 0x1f, 0xed, 0x31, 0x45, 0xfb, 0x0a, 0x51, + 0x1f, 0x0a, 0xe1, 0xac, 0x6f, 0x4d, 0x79, 0x4b + }; + unsigned char seed3[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 + }; + unsigned char expected3[64] = { + 0x24, 0x52, 0xeb, 0x3a, 0x92, 0x49, 0xf8, 0xec, + 0x8d, 0x82, 0x9d, 0x9b, 0xdd, 0xd4, 0xce, 0xb1, + 0xe8, 0x25, 0x20, 0x83, 0x60, 0x81, 0x8b, 0x01, + 0xf3, 0x84, 0x22, 0xb8, 0x5a, 0xaa, 0x49, 0xc9, + 0xbb, 0x00, 0xca, 0x8e, 0xda, 0x3b, 0xa7, 0xb4, + 0xc4, 0xb5, 0x92, 0xd1, 0xfd, 0xf2, 0x73, 0x2f, + 0x44, 0x36, 0x27, 0x4e, 0x25, 0x61, 0xb3, 0xc8, + 0xeb, 0xdd, 0x4a, 0xa6, 0xa0, 0x13, 0x6c, 0x00 + }; + unsigned char seed4[32] = { + 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + unsigned char expected4[64] = { + 0xfb, 0x4d, 0xd5, 0x72, 0x4b, 0xc4, 0x2e, 0xf1, + 0xdf, 0x92, 0x26, 0x36, 0x32, 0x7f, 0x13, 0x94, + 0xa7, 0x8d, 0xea, 0x8f, 0x5e, 0x26, 0x90, 0x39, + 0xa1, 0xbe, 0xbb, 0xc1, 0xca, 0xf0, 0x9a, 0xae, + 0xa2, 0x5a, 0xb2, 0x13, 0x48, 0xa6, 0xb4, 0x6c, + 0x1b, 0x9d, 0x9b, 0xcb, 0x09, 0x2c, 0x5b, 0xe6, + 0x54, 0x6c, 0xa6, 0x24, 0x1b, 0xec, 0x45, 0xd5, + 0x87, 0xf4, 0x74, 0x73, 0x96, 0xf0, 0x99, 0x2e + }; + unsigned char seed5[32] = { + 0x32, 0x56, 0x56, 0xf4, 0x29, 0x02, 0xc2, 0xf8, + 0xa3, 0x4b, 0x96, 0xf5, 0xa7, 0xf7, 0xe3, 0x6c, + 0x92, 0xad, 0xa5, 0x18, 0x1c, 0xe3, 0x41, 0xae, + 0xc3, 0xf3, 0x18, 0xd0, 0xfa, 0x5b, 0x72, 0x53 + }; + unsigned char expected5[64] = { + 0xe7, 0x56, 0xd3, 0x28, 0xe9, 0xc6, 0x19, 0x5c, + 0x6f, 0x17, 0x8e, 0x21, 0x8c, 0x1e, 0x72, 0x11, + 0xe7, 0xbd, 0x17, 0x0d, 0xac, 0x14, 0xad, 0xe9, + 0x3d, 0x9f, 0xb6, 0x92, 0xd6, 0x09, 0x20, 0xfb, + 0x43, 0x8e, 0x3b, 0x6d, 0xe3, 0x33, 0xdc, 0xc7, + 0x6c, 0x07, 0x6f, 0xbb, 0x1f, 0xb4, 0xc8, 0xb5, + 0xe3, 0x6c, 0xe5, 0x12, 0xd9, 0xd7, 0x64, 0x0c, + 0xf5, 0xa7, 0x0d, 0xab, 0x79, 0x03, 0xf1, 0x81 + }; + + secp256k1_scalar exp_r1, exp_r2; + secp256k1_scalar r1, r2; + unsigned char seed0[32] = { 0 }; + + secp256k1_scalar_chacha20(&r1, &r2, seed0, 0); + secp256k1_scalar_set_b32(&exp_r1, &expected1[0], NULL); + secp256k1_scalar_set_b32(&exp_r2, &expected1[32], NULL); + CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); + CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); + + secp256k1_scalar_chacha20(&r1, &r2, seed0, 1); + secp256k1_scalar_set_b32(&exp_r1, &expected2[0], NULL); + secp256k1_scalar_set_b32(&exp_r2, &expected2[32], NULL); + CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); + CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); + + secp256k1_scalar_chacha20(&r1, &r2, seed3, 1); + secp256k1_scalar_set_b32(&exp_r1, &expected3[0], NULL); + secp256k1_scalar_set_b32(&exp_r2, &expected3[32], NULL); + CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); + CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); + + secp256k1_scalar_chacha20(&r1, &r2, seed4, 2); + secp256k1_scalar_set_b32(&exp_r1, &expected4[0], NULL); + secp256k1_scalar_set_b32(&exp_r2, &expected4[32], NULL); + CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); + CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); + + secp256k1_scalar_chacha20(&r1, &r2, seed5, 0x6ff8602a7a78e2f2ULL); + secp256k1_scalar_set_b32(&exp_r1, &expected5[0], NULL); + secp256k1_scalar_set_b32(&exp_r2, &expected5[32], NULL); + CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); + CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); +} + void run_scalar_tests(void) { int i; for (i = 0; i < 128 * count; i++) { @@ -1741,6 +1849,8 @@ void run_scalar_tests(void) { run_scalar_set_b32_seckey_tests(); } + scalar_chacha_tests(); + { /* (-1)+1 should be zero. */ secp256k1_scalar s, o; From 03e125d92f04272a9339bfb35420253ff6eecdd2 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Thu, 18 Jun 2020 13:35:01 +0000 Subject: [PATCH 2/8] schnorrsig: add batch_verify --- include/secp256k1_schnorrsig.h | 21 ++++ src/bench_schnorrsig.c | 34 +++++ src/modules/schnorrsig/main_impl.h | 184 ++++++++++++++++++++++++++++ src/modules/schnorrsig/tests_impl.h | 101 +++++++++++---- 4 files changed, 316 insertions(+), 24 deletions(-) diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h index 0150cd3395..cc31495192 100644 --- a/include/secp256k1_schnorrsig.h +++ b/include/secp256k1_schnorrsig.h @@ -104,6 +104,27 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify( const secp256k1_xonly_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); +/** Verifies a set of Schnorr signatures. + * + * Returns 1 if all succeeded, 0 otherwise. In particular, returns 1 if n_sigs is 0. + * + * Args: ctx: a secp256k1 context object, initialized for verification. + * scratch: scratch space used for the multiexponentiation + * In: sig: array of pointers to signatures, or NULL if there are no signatures + * msg32: array of pointers to messages, or NULL if there are no signatures + * pk: array of pointers to x-only public keys, or NULL if there are no signatures + * n_sigs: number of signatures in above arrays. Must be below the + * minimum of 2^31 and SIZE_MAX/2. Must be 0 if above arrays are NULL. + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch( + const secp256k1_context* ctx, + secp256k1_scratch_space *scratch, + const unsigned char *const *sig, + const unsigned char *const *msg32, + const secp256k1_xonly_pubkey *const *pk, + size_t n_sigs +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + #ifdef __cplusplus } #endif diff --git a/src/bench_schnorrsig.c b/src/bench_schnorrsig.c index dfea144148..c555893dd3 100644 --- a/src/bench_schnorrsig.c +++ b/src/bench_schnorrsig.c @@ -15,6 +15,7 @@ typedef struct { secp256k1_context *ctx; + secp256k1_scratch_space *scratch; int n; const secp256k1_keypair **keypairs; @@ -47,12 +48,35 @@ void bench_schnorrsig_verify(void* arg, int iters) { } } +void bench_schnorrsig_verify_n(void* arg, int iters) { + bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg; + int i, j; + const secp256k1_xonly_pubkey **pk = (const secp256k1_xonly_pubkey **)malloc(data->n * sizeof(*pk)); + + CHECK(pk != NULL); + for (j = 0; j < iters/data->n; j++) { + for (i = 0; i < data->n; i++) { + secp256k1_xonly_pubkey *pk_nonconst = (secp256k1_xonly_pubkey *)malloc(sizeof(*pk_nonconst)); + CHECK(secp256k1_xonly_pubkey_parse(data->ctx, pk_nonconst, data->pk[i]) == 1); + pk[i] = pk_nonconst; + } + CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, data->sigs, data->msgs, pk, data->n)); + for (i = 0; i < data->n; i++) { + free((void *)pk[i]); + } + } + free(pk); +} + int main(void) { int i; bench_schnorrsig_data data; int iters = get_iters(10000); data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); + /* Scratch space size was selected to allow fitting the maximum number of + * points for the default iters value into a single ecmult_multi batch. */ + data.scratch = secp256k1_scratch_space_create(data.ctx, 5 * 1024 * 1024); data.keypairs = (const secp256k1_keypair **)malloc(iters * sizeof(secp256k1_keypair *)); data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); @@ -85,6 +109,15 @@ int main(void) { run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, iters); run_benchmark("schnorrsig_verify", bench_schnorrsig_verify, NULL, NULL, (void *) &data, 10, iters); + for (i = 1; i <= iters; i *= 2) { + char name[64]; + int divisible_iters; + sprintf(name, "schnorrsig_batch_verify_%d", (int) i); + + data.n = i; + divisible_iters = iters - (iters % data.n); + run_benchmark(name, bench_schnorrsig_verify_n, NULL, NULL, (void *) &data, 3, divisible_iters); + } for (i = 0; i < iters; i++) { free((void *)data.keypairs[i]); @@ -97,6 +130,7 @@ int main(void) { free(data.msgs); free(data.sigs); + secp256k1_scratch_space_destroy(data.ctx, data.scratch); secp256k1_context_destroy(data.ctx); return 0; } diff --git a/src/modules/schnorrsig/main_impl.h b/src/modules/schnorrsig/main_impl.h index af503bf5eb..63e59bcb2d 100644 --- a/src/modules/schnorrsig/main_impl.h +++ b/src/modules/schnorrsig/main_impl.h @@ -236,4 +236,188 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned cha secp256k1_fe_equal_var(&rx, &r.x); } +/* Data that is used by the batch verification ecmult callback */ +typedef struct { + const secp256k1_context *ctx; + /* Seed for the random number generator */ + unsigned char chacha_seed[32]; + /* Caches randomizers generated by the PRNG which returns two randomizers per call. Caching + * avoids having to call the PRNG twice as often. The very first randomizer will be set to 1 and + * the PRNG is called at every odd indexed schnorrsig to fill the cache. */ + secp256k1_scalar randomizer_cache[2]; + /* Signature, message, public key tuples to verify */ + const unsigned char *const *sig; + const unsigned char *const *msg32; + const secp256k1_xonly_pubkey *const *pk; + size_t n_sigs; +} secp256k1_schnorrsig_verify_ecmult_context; + +/* Callback function which is called by ecmult_multi in order to convert the ecmult_context + * consisting of signature, message and public key tuples into scalars and points. */ +static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { + secp256k1_schnorrsig_verify_ecmult_context *ecmult_context = (secp256k1_schnorrsig_verify_ecmult_context *) data; + + if (idx % 4 == 2) { + /* Every idx corresponds to a (scalar,point)-tuple. So this callback is called with 4 + * consecutive tuples before we need to call the RNG for new randomizers: + * (-randomizer_cache[0], R1) + * (-randomizer_cache[0]*e1, P1) + * (-randomizer_cache[1], R2) + * (-randomizer_cache[1]*e2, P2) */ + secp256k1_scalar_chacha20(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4); + } + + /* R */ + if (idx % 2 == 0) { + secp256k1_fe rx; + *sc = ecmult_context->randomizer_cache[(idx / 2) % 2]; + if (!secp256k1_fe_set_b32(&rx, &ecmult_context->sig[idx / 2][0])) { + return 0; + } + if (!secp256k1_ge_set_xo_var(pt, &rx, 0)) { + return 0; + } + /* eP */ + } else { + unsigned char buf[32]; + secp256k1_sha256 sha; + + /* xonly_pubkey_load is guaranteed not to fail because + * verify_batch_init_randomizer calls secp256k1_ec_pubkey_serialize + * which only works if loading the pubkey into a group element + * succeeds.*/ + VERIFY_CHECK(secp256k1_xonly_pubkey_load(ecmult_context->ctx, pt, ecmult_context->pk[idx / 2])); + + secp256k1_schnorrsig_sha256_tagged(&sha); + secp256k1_sha256_write(&sha, &ecmult_context->sig[idx / 2][0], 32); + secp256k1_fe_get_b32(buf, &pt->x); + secp256k1_sha256_write(&sha, buf, sizeof(buf)); + secp256k1_sha256_write(&sha, ecmult_context->msg32[idx / 2], 32); + secp256k1_sha256_finalize(&sha, buf); + + secp256k1_scalar_set_b32(sc, buf, NULL); + secp256k1_scalar_mul(sc, sc, &ecmult_context->randomizer_cache[(idx / 2) % 2]); + } + return 1; +} + +/** Helper function for batch verification. Hashes signature verification data into the + * randomization seed and initializes ecmult_context. + * + * Returns 1 if the randomizer was successfully initialized. + * + * Args: ctx: a secp256k1 context object + * Out: ecmult_context: context for batch_ecmult_callback + * In/Out sha: an initialized sha256 object which hashes the schnorrsig input in order to get a + * seed for the randomizer PRNG + * In: sig: array of signatures, or NULL if there are no signatures + * msg32: array of messages, or NULL if there are no signatures + * pk: array of public keys, or NULL if there are no signatures + * n_sigs: number of signatures in above arrays (must be 0 if they are NULL) + */ +static int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const unsigned char *const *sig, const unsigned char *const *msg32, const secp256k1_xonly_pubkey *const *pk, size_t n_sigs) { + size_t i; + + if (n_sigs > 0) { + ARG_CHECK(sig != NULL); + ARG_CHECK(msg32 != NULL); + ARG_CHECK(pk != NULL); + } + + for (i = 0; i < n_sigs; i++) { + unsigned char buf[33]; + size_t buflen = sizeof(buf); + secp256k1_sha256_write(sha, sig[i], 64); + secp256k1_sha256_write(sha, msg32[i], 32); + /* We use compressed serialization here. If we would use + * xonly_pubkey serialization and a user would wrongly memcpy + * normal secp256k1_pubkeys into xonly_pubkeys then the randomizer + * would be the same for two different pubkeys. */ + if (!secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, (const secp256k1_pubkey *) pk[i], SECP256K1_EC_COMPRESSED)) { + return 0; + } + secp256k1_sha256_write(sha, buf, buflen); + } + ecmult_context->ctx = ctx; + ecmult_context->sig = sig; + ecmult_context->msg32 = msg32; + ecmult_context->pk = pk; + ecmult_context->n_sigs = n_sigs; + + return 1; +} + +/** Helper function for batch verification. Sums the s part of all signatures multiplied by their + * randomizer. + * + * Returns 1 if s is successfully summed. + * + * In/Out: s: the s part of the input sigs is added to this s argument + * In: chacha_seed: PRNG seed for computing randomizers + * sig: array of signatures, or NULL if there are no signatures + * n_sigs: number of signatures in above array (must be 0 if they are NULL) + */ +static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned char *chacha_seed, const unsigned char *const *sig, size_t n_sigs) { + secp256k1_scalar randomizer_cache[2]; + size_t i; + + secp256k1_scalar_set_int(&randomizer_cache[0], 1); + for (i = 0; i < n_sigs; i++) { + int overflow; + secp256k1_scalar term; + if (i % 2 == 1) { + secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2); + } + + secp256k1_scalar_set_b32(&term, &sig[i][32], &overflow); + if (overflow) { + return 0; + } + secp256k1_scalar_mul(&term, &term, &randomizer_cache[i % 2]); + secp256k1_scalar_add(s, s, &term); + } + return 1; +} + +/* schnorrsig batch verification. + * + * Seeds a random number generator with the inputs and derives a random number + * ai for every signature i. Fails if + * + * 0 != -(s1 + a2*s2 + ... + au*su)G + * + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu. + */ +int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const unsigned char *const *sig, const unsigned char *const *msg32, const secp256k1_xonly_pubkey *const *pk, size_t n_sigs) { + secp256k1_schnorrsig_verify_ecmult_context ecmult_context; + secp256k1_sha256 sha; + secp256k1_scalar s; + secp256k1_gej rj; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(scratch != NULL); + /* Check that n_sigs is less than half of the maximum size_t value. This is necessary because + * the number of points given to ecmult_multi is 2*n_sigs. */ + ARG_CHECK(n_sigs <= SIZE_MAX / 2); + /* Check that n_sigs is less than 2^31 to ensure the same behavior of this function on 32-bit + * and 64-bit platforms. */ + ARG_CHECK(n_sigs < ((uint32_t)1 << 31)); + + secp256k1_sha256_initialize(&sha); + if (!secp256k1_schnorrsig_verify_batch_init_randomizer(ctx, &ecmult_context, &sha, sig, msg32, pk, n_sigs)) { + return 0; + } + secp256k1_sha256_finalize(&sha, ecmult_context.chacha_seed); + secp256k1_scalar_set_int(&ecmult_context.randomizer_cache[0], 1); + + secp256k1_scalar_clear(&s); + if (!secp256k1_schnorrsig_verify_batch_sum_s(&s, ecmult_context.chacha_seed, sig, n_sigs)) { + return 0; + } + secp256k1_scalar_negate(&s, &s); + + return secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &rj, &s, secp256k1_schnorrsig_verify_batch_ecmult_callback, (void *) &ecmult_context, 2 * n_sigs) + && secp256k1_gej_is_infinity(&rj); +} + #endif diff --git a/src/modules/schnorrsig/tests_impl.h b/src/modules/schnorrsig/tests_impl.h index f4fa5b4d84..c2ea227a87 100644 --- a/src/modules/schnorrsig/tests_impl.h +++ b/src/modules/schnorrsig/tests_impl.h @@ -97,7 +97,7 @@ void run_nonce_function_bip340_tests(void) { CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1); } -void test_schnorrsig_api(void) { +void test_schnorrsig_api(secp256k1_scratch_space *scratch) { unsigned char sk1[32]; unsigned char sk2[32]; unsigned char sk3[32]; @@ -107,6 +107,10 @@ void test_schnorrsig_api(void) { secp256k1_xonly_pubkey pk[3]; secp256k1_xonly_pubkey zero_pk; unsigned char sig[64]; + const unsigned char *sigptr = sig; + const unsigned char *msgptr = msg; + const secp256k1_xonly_pubkey *pkptr = &pk[0]; + const secp256k1_xonly_pubkey *zeroptr = &zero_pk; /** setup **/ secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); @@ -170,6 +174,30 @@ void test_schnorrsig_api(void) { CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0); CHECK(ecount == 6); + ecount = 0; + CHECK(secp256k1_schnorrsig_verify_batch(none, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); + CHECK(ecount == 1); + CHECK(secp256k1_schnorrsig_verify_batch(sign, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); + CHECK(ecount == 2); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, 1) == 1); + CHECK(ecount == 2); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, NULL, &sigptr, &msgptr, &pkptr, 1) == 0); + CHECK(ecount == 3); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, NULL, NULL, 0) == 1); + CHECK(ecount == 3); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, &msgptr, &pkptr, 1) == 0); + CHECK(ecount == 4); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, NULL, &pkptr, 1) == 0); + CHECK(ecount == 5); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, NULL, 1) == 0); + CHECK(ecount == 6); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, (size_t)1 << (sizeof(size_t)*8-1)) == 0); + CHECK(ecount == 7); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, (uint32_t)1 << 31) == 0); + CHECK(ecount == 8); + CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &zeroptr, 1) == 0); + CHECK(ecount == 9); + secp256k1_context_destroy(none); secp256k1_context_destroy(sign); secp256k1_context_destroy(vrfy); @@ -206,17 +234,26 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un } /* Helper function for schnorrsig_bip_vectors - * Checks that both verify and verify_batch (TODO) return the same value as expected. */ -void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) { + * Checks that both verify and verify_batch return the same value as expected. */ +void test_schnorrsig_bip_vectors_check_verify(secp256k1_scratch_space *scratch, const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) { + const unsigned char *msg_arr[1]; + const unsigned char *sig_arr[1]; + const secp256k1_xonly_pubkey *pk_arr[1]; secp256k1_xonly_pubkey pk; CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized)); + + sig_arr[0] = sig; + msg_arr[0] = msg32; + pk_arr[0] = &pk; + CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, &pk)); + CHECK(expected == secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 1)); } /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */ -void test_schnorrsig_bip_vectors(void) { +void test_schnorrsig_bip_vectors(secp256k1_scratch_space *scratch) { { /* Test vector 0 */ const unsigned char sk[32] = { @@ -254,7 +291,7 @@ void test_schnorrsig_bip_vectors(void) { 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0 }; test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig); - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 1); } { /* Test vector 1 */ @@ -293,7 +330,7 @@ void test_schnorrsig_bip_vectors(void) { 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A }; test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig); - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 1); } { /* Test vector 2 */ @@ -332,7 +369,7 @@ void test_schnorrsig_bip_vectors(void) { 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7 }; test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig); - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 1); } { /* Test vector 3 */ @@ -371,7 +408,7 @@ void test_schnorrsig_bip_vectors(void) { 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3 }; test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig); - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 1); } { /* Test vector 4 */ @@ -397,7 +434,7 @@ void test_schnorrsig_bip_vectors(void) { 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93, 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 1); } { /* Test vector 5 */ @@ -435,7 +472,7 @@ void test_schnorrsig_bip_vectors(void) { 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E, 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 7 */ @@ -461,7 +498,7 @@ void test_schnorrsig_bip_vectors(void) { 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35, 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 8 */ @@ -487,7 +524,7 @@ void test_schnorrsig_bip_vectors(void) { 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C, 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 9 */ @@ -513,7 +550,7 @@ void test_schnorrsig_bip_vectors(void) { 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC, 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 10 */ @@ -539,7 +576,7 @@ void test_schnorrsig_bip_vectors(void) { 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9, 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 11 */ @@ -565,7 +602,7 @@ void test_schnorrsig_bip_vectors(void) { 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 12 */ @@ -591,7 +628,7 @@ void test_schnorrsig_bip_vectors(void) { 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 13 */ @@ -617,7 +654,7 @@ void test_schnorrsig_bip_vectors(void) { 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 }; - test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0); + test_schnorrsig_bip_vectors_check_verify(scratch, pk, msg, sig, 0); } { /* Test vector 14 */ @@ -692,13 +729,16 @@ void test_schnorrsig_sign(void) { #define N_SIGS 3 /* Creates N_SIGS valid signatures and verifies them with verify and - * verify_batch (TODO). Then flips some bits and checks that verification now + * verify_batch. Then flips some bits and checks that verification now * fails. */ -void test_schnorrsig_sign_verify(void) { +void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) { unsigned char sk[32]; unsigned char msg[N_SIGS][32]; unsigned char sig[N_SIGS][64]; size_t i; + const unsigned char *sig_arr[N_SIGS]; + const unsigned char *msg_arr[N_SIGS]; + const secp256k1_xonly_pubkey *pk_arr[N_SIGS]; secp256k1_keypair keypair; secp256k1_xonly_pubkey pk; secp256k1_scalar s; @@ -707,34 +747,43 @@ void test_schnorrsig_sign_verify(void) { CHECK(secp256k1_keypair_create(ctx, &keypair, sk)); CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); + CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, NULL, NULL, NULL, 0)); + for (i = 0; i < N_SIGS; i++) { secp256k1_testrand256(msg[i]); CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL)); CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], &pk)); + sig_arr[i] = sig[i]; + msg_arr[i] = msg[i]; + pk_arr[i] = &pk; + CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, i)); } - { /* Flip a few bits in the signature and in the message and check that - * verify and verify_batch (TODO) fail */ + * verify and verify_batch fail */ size_t sig_idx = secp256k1_testrand_int(N_SIGS); size_t byte_idx = secp256k1_testrand_int(32); unsigned char xorbyte = secp256k1_testrand_int(254)+1; sig[sig_idx][byte_idx] ^= xorbyte; CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); sig[sig_idx][byte_idx] ^= xorbyte; byte_idx = secp256k1_testrand_int(32); sig[sig_idx][32+byte_idx] ^= xorbyte; CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); sig[sig_idx][32+byte_idx] ^= xorbyte; byte_idx = secp256k1_testrand_int(32); msg[sig_idx][byte_idx] ^= xorbyte; CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); msg[sig_idx][byte_idx] ^= xorbyte; /* Check that above bitflips have been reversed correctly */ CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); } /* Test overflowing s */ @@ -791,16 +840,20 @@ void test_schnorrsig_taproot(void) { void run_schnorrsig_tests(void) { int i; + secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); + run_nonce_function_bip340_tests(); - test_schnorrsig_api(); + test_schnorrsig_api(scratch); test_schnorrsig_sha256_tagged(); - test_schnorrsig_bip_vectors(); + test_schnorrsig_bip_vectors(scratch); for (i = 0; i < count; i++) { test_schnorrsig_sign(); - test_schnorrsig_sign_verify(); + test_schnorrsig_sign_verify(scratch); } test_schnorrsig_taproot(); + + secp256k1_scratch_space_destroy(ctx, scratch); } #endif From e8663014ef05d1127f65c9ccc50cd6c53e40341c Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 12 Sep 2020 11:19:41 +0000 Subject: [PATCH 3/8] fixup! Add scalar_chacha20 --- src/scalar_4x64_impl.h | 4 ++-- src/scalar_8x32_impl.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/scalar_4x64_impl.h b/src/scalar_4x64_impl.h index fa9ea89a1d..f0bb968164 100644 --- a/src/scalar_4x64_impl.h +++ b/src/scalar_4x64_impl.h @@ -874,9 +874,9 @@ SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) a += b; d = ROTL32(d ^ a, 8); \ c += d; b = ROTL32(b ^ c, 7); -#ifdef WORDS_BIGENDIAN +#if defined(SECP256K1_BIG_ENDIAN) #define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) -#else +#elif defined(SECP256K1_LITTLE_ENDIAN) #define LE32(p) (p) #endif diff --git a/src/scalar_8x32_impl.h b/src/scalar_8x32_impl.h index 61c1d96fcd..b820737fe3 100644 --- a/src/scalar_8x32_impl.h +++ b/src/scalar_8x32_impl.h @@ -740,9 +740,9 @@ SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) a += b; d = ROTL32(d ^ a, 8); \ c += d; b = ROTL32(b ^ c, 7); -#ifdef WORDS_BIGENDIAN +#if defined(SECP256K1_BIG_ENDIAN) #define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) -#else +#elif defined(SECP256K1_LITTLE_ENDIAN) #define LE32(p) (p) #endif From 9646aad346b38828df4cf9542649b990d7978f44 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Fri, 2 Apr 2021 19:12:46 +0000 Subject: [PATCH 4/8] fixup! scratch space in benchmarks Without this commit, 8192 points require 2 batches. --- src/bench_schnorrsig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bench_schnorrsig.c b/src/bench_schnorrsig.c index c555893dd3..2148bfefb6 100644 --- a/src/bench_schnorrsig.c +++ b/src/bench_schnorrsig.c @@ -76,7 +76,7 @@ int main(void) { data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); /* Scratch space size was selected to allow fitting the maximum number of * points for the default iters value into a single ecmult_multi batch. */ - data.scratch = secp256k1_scratch_space_create(data.ctx, 5 * 1024 * 1024); + data.scratch = secp256k1_scratch_space_create(data.ctx, 7 * 1024 * 1024); data.keypairs = (const secp256k1_keypair **)malloc(iters * sizeof(secp256k1_keypair *)); data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); From b40c6e52ef2015c15f967c6b2c5ff76eb0c35bac Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 29 May 2021 02:44:35 +0000 Subject: [PATCH 5/8] bench_schnorrsig: stop verifying same sigs in each iter --- src/bench_schnorrsig.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bench_schnorrsig.c b/src/bench_schnorrsig.c index 2148bfefb6..8497143658 100644 --- a/src/bench_schnorrsig.c +++ b/src/bench_schnorrsig.c @@ -57,10 +57,10 @@ void bench_schnorrsig_verify_n(void* arg, int iters) { for (j = 0; j < iters/data->n; j++) { for (i = 0; i < data->n; i++) { secp256k1_xonly_pubkey *pk_nonconst = (secp256k1_xonly_pubkey *)malloc(sizeof(*pk_nonconst)); - CHECK(secp256k1_xonly_pubkey_parse(data->ctx, pk_nonconst, data->pk[i]) == 1); + CHECK(secp256k1_xonly_pubkey_parse(data->ctx, pk_nonconst, data->pk[i+j]) == 1); pk[i] = pk_nonconst; } - CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, data->sigs, data->msgs, pk, data->n)); + CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, &data->sigs[j], &data->msgs[j], pk, data->n)); for (i = 0; i < data->n; i++) { free((void *)pk[i]); } From c2f73913a2230a4575ba64db2ca27b5e4f3d13a0 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Fri, 14 May 2021 18:55:19 +0000 Subject: [PATCH 6/8] doc: add batch verification speedup graph --- doc/speedup-batch.md | 4 + doc/speedup-batch/.gitignore | 2 + doc/speedup-batch/Makefile | 11 +++ doc/speedup-batch/bench.sh | 13 +++ doc/speedup-batch/bench_output.txt | 67 +++++++++++++ doc/speedup-batch/bench_output.txt.log | 129 +++++++++++++++++++++++++ doc/speedup-batch/plot.p | 33 +++++++ doc/speedup-batch/speedup-batch.png | Bin 0 -> 10303 bytes src/bench_schnorrsig.c | 6 +- 9 files changed, 263 insertions(+), 2 deletions(-) create mode 100644 doc/speedup-batch.md create mode 100644 doc/speedup-batch/.gitignore create mode 100644 doc/speedup-batch/Makefile create mode 100755 doc/speedup-batch/bench.sh create mode 100644 doc/speedup-batch/bench_output.txt create mode 100644 doc/speedup-batch/bench_output.txt.log create mode 100644 doc/speedup-batch/plot.p create mode 100644 doc/speedup-batch/speedup-batch.png diff --git a/doc/speedup-batch.md b/doc/speedup-batch.md new file mode 100644 index 0000000000..02eda65ee5 --- /dev/null +++ b/doc/speedup-batch.md @@ -0,0 +1,4 @@ +# Schnorrsig Batch Verification Speedup + +![Speedup over single verification](speedup-batch/speedup-batch.png) + diff --git a/doc/speedup-batch/.gitignore b/doc/speedup-batch/.gitignore new file mode 100644 index 0000000000..5af90e7292 --- /dev/null +++ b/doc/speedup-batch/.gitignore @@ -0,0 +1,2 @@ +batch.dat +single.dat \ No newline at end of file diff --git a/doc/speedup-batch/Makefile b/doc/speedup-batch/Makefile new file mode 100644 index 0000000000..9db4ff95d3 --- /dev/null +++ b/doc/speedup-batch/Makefile @@ -0,0 +1,11 @@ +bench_output.txt: bench.sh + SECP256K1_BENCH_ITERS=500000 ./bench.sh bench_output.txt + +batch.dat: bench_output.txt + cat bench_output.txt | grep -v "schnorrsig_batch_verify_1:" | gawk 'match($$0, /schnorrsig_batch_verify_(.*):.*avg (.*)us /, a) {print a[1] " " a[2]}' > batch.dat + +single.dat: bench_output.txt + cat bench_output.txt | awk 'match($$0, /schnorrsig_verify:.*avg (.*)us /, a) {print a[1]}' > single.dat + +speedup-batch.png: batch.dat single.dat plot.p + gnuplot plot.p diff --git a/doc/speedup-batch/bench.sh b/doc/speedup-batch/bench.sh new file mode 100755 index 0000000000..9c8339f4c9 --- /dev/null +++ b/doc/speedup-batch/bench.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +output_file=$1 +cur_dir=$(pwd) + +cd ../../ +echo "HEAD: $(git rev-parse --short HEAD)" > "$cur_dir/$output_file.log" +make clean +./autogen.sh +./configure --enable-experimental --enable-module-schnorrsig >> "$cur_dir/$output_file.log" +make -j +./bench_schnorrsig > "$cur_dir/$output_file" + diff --git a/doc/speedup-batch/bench_output.txt b/doc/speedup-batch/bench_output.txt new file mode 100644 index 0000000000..c6ae4ec90e --- /dev/null +++ b/doc/speedup-batch/bench_output.txt @@ -0,0 +1,67 @@ +schnorrsig_sign: min 24.4us / avg 24.5us / max 24.5us +schnorrsig_verify: min 41.9us / avg 42.1us / max 42.2us +schnorrsig_batch_verify_1: min 50.2us / avg 50.2us / max 50.3us +schnorrsig_batch_verify_2: min 44.7us / avg 44.8us / max 44.8us +schnorrsig_batch_verify_3: min 42.8us / avg 42.8us / max 42.9us +schnorrsig_batch_verify_4: min 41.8us / avg 41.9us / max 41.9us +schnorrsig_batch_verify_5: min 41.2us / avg 41.3us / max 41.3us +schnorrsig_batch_verify_7: min 40.5us / avg 40.6us / max 40.6us +schnorrsig_batch_verify_9: min 40.1us / avg 40.2us / max 40.2us +schnorrsig_batch_verify_11: min 39.9us / avg 39.9us / max 39.9us +schnorrsig_batch_verify_14: min 39.7us / avg 39.7us / max 39.7us +schnorrsig_batch_verify_17: min 39.5us / avg 39.5us / max 39.5us +schnorrsig_batch_verify_21: min 39.3us / avg 39.3us / max 39.4us +schnorrsig_batch_verify_26: min 39.3us / avg 39.3us / max 39.3us +schnorrsig_batch_verify_32: min 39.1us / avg 39.2us / max 39.2us +schnorrsig_batch_verify_39: min 39.1us / avg 39.1us / max 39.1us +schnorrsig_batch_verify_47: min 38.2us / avg 38.3us / max 38.3us +schnorrsig_batch_verify_57: min 37.2us / avg 37.2us / max 37.2us +schnorrsig_batch_verify_69: min 36.3us / avg 36.3us / max 36.4us +schnorrsig_batch_verify_83: min 35.2us / avg 35.3us / max 35.3us +schnorrsig_batch_verify_100: min 34.2us / avg 34.2us / max 34.3us +schnorrsig_batch_verify_121: min 33.9us / avg 33.9us / max 33.9us +schnorrsig_batch_verify_146: min 32.7us / avg 32.7us / max 32.8us +schnorrsig_batch_verify_176: min 31.7us / avg 31.8us / max 31.8us +schnorrsig_batch_verify_212: min 31.0us / avg 31.0us / max 31.0us +schnorrsig_batch_verify_255: min 30.3us / avg 30.3us / max 30.3us +schnorrsig_batch_verify_307: min 29.7us / avg 29.8us / max 29.8us +schnorrsig_batch_verify_369: min 29.3us / avg 29.3us / max 29.3us +schnorrsig_batch_verify_443: min 28.8us / avg 28.8us / max 28.8us +schnorrsig_batch_verify_532: min 28.5us / avg 28.6us / max 28.6us +schnorrsig_batch_verify_639: min 28.3us / avg 28.3us / max 28.4us +schnorrsig_batch_verify_767: min 27.7us / avg 27.7us / max 27.7us +schnorrsig_batch_verify_921: min 27.0us / avg 27.0us / max 27.0us +schnorrsig_batch_verify_1106: min 26.5us / avg 26.6us / max 26.6us +schnorrsig_batch_verify_1328: min 26.1us / avg 26.2us / max 26.2us +schnorrsig_batch_verify_1594: min 25.9us / avg 25.9us / max 25.9us +schnorrsig_batch_verify_1913: min 25.6us / avg 25.6us / max 25.6us +schnorrsig_batch_verify_2296: min 25.3us / avg 25.3us / max 25.4us +schnorrsig_batch_verify_2756: min 25.0us / avg 25.0us / max 25.1us +schnorrsig_batch_verify_3308: min 24.7us / avg 24.7us / max 24.7us +schnorrsig_batch_verify_3970: min 24.6us / avg 24.6us / max 24.6us +schnorrsig_batch_verify_4765: min 24.3us / avg 24.3us / max 24.3us +schnorrsig_batch_verify_5719: min 23.9us / avg 24.0us / max 24.0us +schnorrsig_batch_verify_6863: min 23.7us / avg 23.7us / max 23.8us +schnorrsig_batch_verify_8236: min 23.5us / avg 23.5us / max 23.5us +schnorrsig_batch_verify_9884: min 23.2us / avg 23.2us / max 23.2us +schnorrsig_batch_verify_11861: min 22.9us / avg 23.0us / max 23.0us +schnorrsig_batch_verify_14234: min 22.7us / avg 22.7us / max 22.8us +schnorrsig_batch_verify_17081: min 22.6us / avg 22.6us / max 22.7us +schnorrsig_batch_verify_20498: min 22.4us / avg 22.4us / max 22.5us +schnorrsig_batch_verify_24598: min 22.3us / avg 22.3us / max 22.3us +schnorrsig_batch_verify_29518: min 22.2us / avg 22.2us / max 22.2us +schnorrsig_batch_verify_35422: min 22.1us / avg 22.1us / max 22.1us +schnorrsig_batch_verify_42507: min 22.1us / avg 22.1us / max 22.1us +schnorrsig_batch_verify_51009: min 22.0us / avg 22.1us / max 22.1us +schnorrsig_batch_verify_61211: min 22.0us / avg 22.0us / max 22.0us +schnorrsig_batch_verify_73454: min 21.9us / avg 21.9us / max 21.9us +schnorrsig_batch_verify_88145: min 21.9us / avg 21.9us / max 22.0us +schnorrsig_batch_verify_105775: min 21.9us / avg 21.9us / max 21.9us +schnorrsig_batch_verify_126931: min 21.9us / avg 21.9us / max 21.9us +schnorrsig_batch_verify_152318: min 21.8us / avg 21.8us / max 21.8us +schnorrsig_batch_verify_182782: min 21.7us / avg 21.8us / max 21.8us +schnorrsig_batch_verify_219339: min 21.8us / avg 21.8us / max 21.8us +schnorrsig_batch_verify_263207: min 21.7us / avg 21.8us / max 21.8us +schnorrsig_batch_verify_315849: min 21.8us / avg 21.8us / max 21.9us +schnorrsig_batch_verify_379019: min 21.7us / avg 21.8us / max 21.9us +schnorrsig_batch_verify_454823: min 21.8us / avg 21.8us / max 21.9us diff --git a/doc/speedup-batch/bench_output.txt.log b/doc/speedup-batch/bench_output.txt.log new file mode 100644 index 0000000000..90161b908a --- /dev/null +++ b/doc/speedup-batch/bench_output.txt.log @@ -0,0 +1,129 @@ +HEAD: 0b631c69 +checking build system type... x86_64-pc-linux-gnu +checking host system type... x86_64-pc-linux-gnu +checking for a BSD-compatible install... /usr/bin/install -c +checking whether build environment is sane... yes +checking for a race-free mkdir -p... /usr/bin/mkdir -p +checking for gawk... gawk +checking whether make sets $(MAKE)... yes +checking whether make supports nested variables... yes +checking how to print strings... printf +checking whether make supports the include directive... yes (GNU style) +checking for gcc... gcc +checking whether the C compiler works... yes +checking for C compiler default output file name... a.out +checking for suffix of executables... +checking whether we are cross compiling... no +checking for suffix of object files... o +checking whether the compiler supports GNU C... yes +checking whether gcc accepts -g... yes +checking for gcc option to enable C11 features... none needed +checking whether gcc understands -c and -o together... yes +checking dependency style of gcc... gcc3 +checking for a sed that does not truncate output... /usr/bin/sed +checking for grep that handles long lines and -e... /usr/bin/grep +checking for egrep... /usr/bin/grep -E +checking for fgrep... /usr/bin/grep -F +checking for ld used by gcc... /usr/bin/ld +checking if the linker (/usr/bin/ld) is GNU ld... yes +checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B +checking the name lister (/usr/bin/nm -B) interface... BSD nm +checking whether ln -s works... yes +checking the maximum length of command line arguments... 1572864 +checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop +checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop +checking for /usr/bin/ld option to reload object files... -r +checking for objdump... objdump +checking how to recognize dependent libraries... pass_all +checking for dlltool... no +checking how to associate runtime and link libraries... printf %s\n +checking for ar... ar +checking for archiver @FILE support... @ +checking for strip... strip +checking for ranlib... ranlib +checking command to parse /usr/bin/nm -B output from gcc object... ok +checking for sysroot... no +checking for a working dd... /usr/bin/dd +checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1 +checking for mt... no +checking if : is a manifest tool... no +checking for stdio.h... yes +checking for stdlib.h... yes +checking for string.h... yes +checking for inttypes.h... yes +checking for stdint.h... yes +checking for strings.h... yes +checking for sys/stat.h... yes +checking for sys/types.h... yes +checking for unistd.h... yes +checking for dlfcn.h... yes +checking for objdir... .libs +checking if gcc supports -fno-rtti -fno-exceptions... no +checking for gcc option to produce PIC... -fPIC -DPIC +checking if gcc PIC flag -fPIC -DPIC works... yes +checking if gcc static flag -static works... yes +checking if gcc supports -c -o file.o... yes +checking if gcc supports -c -o file.o... (cached) yes +checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes +checking whether -lc should be explicitly linked in... no +checking dynamic linker characteristics... GNU/Linux ld.so +checking how to hardcode library paths into programs... immediate +checking whether stripping libraries is possible... yes +checking if libtool supports shared libraries... yes +checking whether to build shared libraries... yes +checking whether to build static libraries... yes +checking whether make supports nested variables... (cached) yes +checking for pkg-config... /usr/bin/pkg-config +checking pkg-config is at least version 0.9.0... yes +checking for ar... /usr/bin/ar +checking for ranlib... /usr/bin/ranlib +checking for strip... /usr/bin/strip +checking dependency style of gcc... gcc3 +checking if gcc supports -std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Wno-unused-function -Wno-long-long -Wno-overlength-strings... yes +checking if gcc supports -fvisibility=hidden... yes +checking for valgrind/memcheck.h... yes +checking for x86_64 assembly availability... yes +checking for CRYPTO... yes +checking for main in -lcrypto... yes +checking for EC functions in libcrypto... yes +configure: ****** +configure: WARNING: experimental build +configure: Experimental features do not have stable APIs or properties, and may not be safe for production use. +configure: Building extrakeys module: yes +configure: Building schnorrsig module: yes +configure: ****** +checking that generated files are newer than configure... done +configure: creating ./config.status +config.status: creating Makefile +config.status: creating libsecp256k1.pc +config.status: creating src/libsecp256k1-config.h +config.status: src/libsecp256k1-config.h is unchanged +config.status: executing depfiles commands +config.status: executing libtool commands + +Build Options: + with ecmult precomp = yes + with external callbacks = no + with benchmarks = yes + with tests = yes + with openssl tests = yes + with coverage = no + module ecdh = no + module recovery = no + module extrakeys = yes + module schnorrsig = yes + + asm = x86_64 + ecmult window size = 15 + ecmult gen prec. bits = 4 + + valgrind = yes + CC = gcc + CFLAGS = -O2 -fvisibility=hidden -std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Wno-unused-function -Wno-long-long -Wno-overlength-strings -W -g + CPPFLAGS = + LDFLAGS = + + CC_FOR_BUILD = gcc + CFLAGS_FOR_BUILD = -O2 -fvisibility=hidden -std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Wno-unused-function -Wno-long-long -Wno-overlength-strings -W -g + CPPFLAGS_FOR_BUILD = + LDFLAGS_FOR_BUILD = diff --git a/doc/speedup-batch/plot.p b/doc/speedup-batch/plot.p new file mode 100644 index 0000000000..efc1c27977 --- /dev/null +++ b/doc/speedup-batch/plot.p @@ -0,0 +1,33 @@ +set style line 80 lt rgb "#808080" +set style line 81 lt 0 +set style line 81 lt rgb "#808080" +set grid back linestyle 81 +set border 3 back linestyle 80 +set xtics nomirror +set ytics nomirror +set style line 1 lt rgb "#A00000" lw 2 pt 1 +set style line 2 lt rgb "#00A000" lw 2 pt 6 +set style line 3 lt rgb "#5060D0" lw 2 pt 2 +set style line 4 lt rgb "#F25900" lw 2 pt 9 +set key bottom right +set autoscale +unset log +unset label +set xtic auto +set ytic auto +set title "Batch signature verification in libsecp256k1" +set xlabel "Number of signatures (logarithmic)" +set ylabel "Verification time per signature in us" +set grid +set logscale x +set mxtics 10 + +single_val=system("cat single.dat") +set xrange [1.1:] +set xtics add ("2" 2) +set yrange [0.9:] +set ytics -1,0.1,3 +set ylabel "Speedup over single verification" +set term png size 800,600 +set output 'speedup-batch.png' +plot "batch.dat" using 1:(single_val/$2) with points title "" ls 1 diff --git a/doc/speedup-batch/speedup-batch.png b/doc/speedup-batch/speedup-batch.png new file mode 100644 index 0000000000000000000000000000000000000000..7f2b76bbfe1ff1854b0ed89b08d75ffddfbe6a9e GIT binary patch literal 10303 zcma)C2{@Gf*M1CRPg7YcWJpXD*>{FYDr*w5hGZT4mTji8Wt&nG$&x5pBWt#Zi9}?{ zUNguxmde=YduCAY`~Uvmb$u?3dFJ>0mUHfNpZlCgl)mn{JFJc0dH_I^>j5%AB-SGV91c)-{6?;a188JD zntaL{9Ss0TG(bj^L&;yBi->@?BF8$x`wkyIEF~qSqoZSQZyy>O`uOqVl9H18`udL_ zKaP)&gG($(N@9uF{QijrqlGatnK*olT-H!XB$E38a5caV{2eL~Eg%+cOno1H=#V?O z6#!_D_%s7hwnzp(eI~OfkVEws&}i~mU=8g#m3VVuBBrL?xgwn9_wS)}G@Se#Al@QA z0J?|Mhq3xdBWH0mJAh_qMmBn zy{x@~+|XWM6hua*li{_swP-ZDqoX4}K7M|FzOJrrbab?^urMtxO-)UWkB`sF$|@ZI z%o^s-gH~X2*E0120JbK|56weSHf{ib1Lx1EU-o}8m-;pNRRx>oHwAx%W5tb~^P!_j zj|Z6O?f4InXM(;OMcsNd#K0kIn@9sr^nZTAopRqkN6nV|Tg+}^qn*E830QrzINuv8 zFvmbFIU2y}GZI|0zW2V|oLly^+G8_EWDNiUsjwN3k?<6G?)C-90_Lh^G$6G!8n zOL4KA{T0qXtAD3yrMy|6MPj4_9GT0vjCI!eno3y)mpe2oPe>UWBd~-QRb7am??rn3 zS?p3K%rV~4y`zwp0iM^Y*dS6*_SF;k5xeG(X%DW4L(a$5BJY+VUAoyMTSH>5t?{3m z>Wy1|?HDD{!h=}ML}vDxRq~7D|Q?GHJ|RwZGLH-xSrs*k2Gohf|Fg# zv())?%|`cNjOa>{Y#*^BSZ=_5CT9KUQ0$y5*F3Y`V%YeSA?8bW^|g&JCuit=y1`>5 zLL~=`U8^|Wm}TL}4i+kT-3M8+$jc8_?96=%aqDsgcLwyp-1TIhw>bK8&W zFLM{4wS1o@-3*!X)vRZeyIN{qH@>VR`^Cl}HY|ebp`l#6+^W&KuUt6g zw`s=8N;=xDp)7W9HZqY_`+_<;v$<{Gh~hV1XvYp7K6JatB%|wR^j{1$|4UU$WFKVxUtqUw}K8Z^kulARD-zF>1 z+lH7ySK8igF1o007cEcWHV6~#MU2$Iwt<|f(n3@@tVTR;Cg$2!;^{`j(v>!74m zz_rAZqYLZ5a*``->8__5&xv%RSf&TG8F;RUT2`vEU6Sqj4sLxCFF4F+(KisJ8r{CW zsfo`av*R4B-hcyM=ODA6@r*CYYdvcDQnSVVGYF>>xOVzjo1xB7NS>3-J&1KQN<+f! z0I@ad02Js~m*H`&RzSeujsE*_?dq8S&JxIh4bo_{TS~)wH()~q0Rv=_7+@imOs~3C zcF24~XwL^x7ROn`f~mwuZX1ha<)*uQHqBwBnGUTo!w9VSTSt$Md0~}D zq@HJOB{X#x&ATH~`)??4MP@_R8rCfCCDL-Zxv^7#V0Kv`ZM{&q+?$0}(Qi5&Um|9BDuS$yANFWBv};i*FkSbbW;@_fj+sK0$(=%$*( zzNM2Q*f{f&#WtDYS;*p+(6?I1RW;g1Wv+~;%QwQgEUhfbn{r#kyWiGt^wqwT;KDWP zbfrb#WSXX_!)=wY%ztRRDoJ#-Ma>h}9p~0plb;bx2e{Ot^rL$IAbRqwmrM&a`!~X3ArIA#mN0?<<->=kyM%Iv@h zb7H1&os#aKY4}oao6pC=C@ay^UlG+(qJbSkU^$v%cAVWkCr|swYbl;nds-5e>?xxd z4w?psmmUB-(2!NuKYN&8Vj-?B_wXwGnLrH}_DOqayp{pnOedYNi09ZVxH#Ds@_VU(BM|!l#Ky4 z;k%$D3HBu=Cy=;3{+yp1>InglYQEQ(NQ?mQ;PUEgc`T~FYo6*yq8yACvn7z zC5b5n_Ducf_(BS{aqEs&z6Rn4ZH|4vA`ZJGweGL{x>BHObfn{-;Qkz|fHOV_g@n+@ z6xK>|MFtFf?6Tc=NsHkHXzNy+u0^5DqY2(t8-g0`&EkFDIfEX2p+Zx7+Fc3MzYQ^O zt3LPK=FFHWp@BJ%=taDL*wcLOn~|qy;GHH zJ1(@E*)oLpwe~qwDeT02NF}!y>u7K6m?)1)( z7u;Uhg`M+>O>1KAPyqBFkYgedD=Y5=i6^7jc9yzWVF14c0vNq#naB(t3^*dMieTBn zSHti*X2FUL;Ge@K81~%(Cw4hiyPx{155M(?NOjBctbZaGbUQtGEVgGMuGocq*Wf+M*L!hWyiygdi2^Cj?D6aX0Tg+{2(bkoNVVcvU}1O57Me zpwP6$-0~Xv)Sh?g)X@-p57`f;T`z&LpqlJ9s6kh-|r z8GoFAi|FS#?x&;o_JOK*TSgB*q06Shh zH`KsFh*XyTyODX{i#%$hC%KT_?HF)yS_6}i2L(=r>52mAZFX8Z3UbRo-mq)Yfja@3 zSV8Vae%x7?=*OblzUiqTJxGHS0-~mWyEz?+xyB^anszUin~BF6wSv z$)4SNJ=!=U&xzf=uOzoM@3PB)qp=EFT23?MPeSYhEHGG1p@wIOiwu(gH9(_|xs#PA z`ca)I2vSP_;!T1J?GA=Ry{ujjuL#vawxh$_+WJ_y%#$d^unV+BNDQL^A?~N4&rT4k zRTU~KuNZ{vyFe5WzhEdkDSBt;!0{;d$b&xQj|2O2l81O$i|ughs}b!Tvd9ccniKkP z$uFBPh3KmT+yuxI%_z%5cdJhImXe>k?%2yy$L~I`8>rFRC;UdF)4Cik-W1bw7kpe= zuX^hB{+49Vb!234q8H}v)A>GIQ+~n3gZ(tjXYRkVe~%-%sT}!g4tFc>YZGI>tIW1T zoMe1$84|Z1JL=gt{>iI&0ur!Q6LROz$5vJ1bwSv-qboY)k3fy_%fI_)4eRkN+MDjd z`O1ySZsp=9z{=w1;!W5Dycj(VvzJFY_^}mR63UK*bMnX6@1%Kh1sKrJ9hb6g=XtVt zZQhWt-fZWOfA{B819;{G9n0UdJT|}U@|m-CNjmU_Z?Ll%wrg%ersJ$b8Uxy_M55`Y z>BVN=HFv|k7u^CK?h~Wa&b;`#0w#VzB~+Dy)*BC5xAVM(A*hgFmk<0+4*iRgg|FUj zj!vz&7}VR<>lS&DB!?W|2G|?G%OOzDL&RGzef_U5>-4JaaACk?uL!K`vs2Y@{<*QSX1&>iTfaW2-p`%BSBHO&u8XF}L*}|t)AzFNlyXdA0&bj;GW(0> z-99Ra5g!cT#)jiQaSDupRndF@8}BE6VPMQjdx2t)wX46j2T?@q2Opjmb)s;ew{V{a z4+9PIAV@jrq#b^u9-w3Nlignc-{md*l=frfG#G90ORc%6Gb9@t_Zv+lo7L|-67Gx= z>d+&wQf*rGVw-8UzSezPd!v`O1k~tyF|+(+2_2%)8Yd z=4NnuFDzo5YCdN-F@b>Lj&yMLjiGZRO`*3^0>go zC%=eMXh<0#4ePZBF z{whn#vVxOuZfrnEeiV)Dx>j=WM^AgZ>uT1d?Y?8r^Fnx@STBi!)LX~IOfcRi|I(lt z$4gyA9q@*oJbo|n8B)N@3(PGc2Uv^0t1lM_jjd#FBqpHy5??gT+QHHlJ5y%JEn z495(&bUqNRjIKf@XK&^xt~PnwH0ud`p;SbEcX`FvO4w7DW*fYjlURXb1JY#W;M(kz z3Hzx-fX&hQoFhVNfg0ixc;S6cvLTh(O7G*0eH`;o&b0PUiZSuq|Iw)Z9%eq1Hb%Wy zCdEXuidM5|eTgG<&KDXhL{e`ZyMGXYm8RPM0&MjIgz39#G-x;16y`}A3vsp3-|*3P zq+tP}U|Mt8#d3kk+%k~M^V1tR8}q%hcheP7>g`p|=HdLkj;9zZ!`3(Yowh?xoq)ia zRkT&TY5st} zcanv0cK#?7a>Y8*M=ICX*HX^Zz%|6#6#iTSf$dI5qQV2K9*}7iqalv3@cNjQ@1PB@ zn8yvjmGdfpZ}8>o79`-_Sqz0}j{Ck9i3#-At@MjDsx7gFLh4f`0xYWydY4@}av%Z9 zRtOlD9ksXcx4Eng2QKC2#Qa{qQneCMEAQgHg?vF_wjz;_8Y|jy>^o8`j6g%O;Ps6- z0~Y5a6W323avt9IZi|++IPO+zb)EKkUU7Duqdt6!su~{HE*1HmQkY-^;RWg$YBp~H zO{-L`rz(3RT*Gd020Wlyt{2HWEdyq{p@_f^UWzNfqCB`Qkl5OaQ%GefW#LVG5KvXT zH$Wu>z@x7Z2S0#Zr$Ih=;PZ4aPr*WPM{H1H*#Dl~bu;*+pZ&hw7J_au-sh{8QRLtj zuz)F(mn0u62T9!yh>X3)a>+){&A$@&tsxb4NP3*2J3x{<%)s2(W&p1n6RVocN(+r) z3%fYpSI;C=hmm+P$$sgDbO@_*_D{JNvh#{n+Xe3Iy^9>UBjpDv?D=q#V)nplrf{KCY-0(WO}iOS_^Zd1p-#|F2Za)9OPSJh%Df%t8OCURLL>Ew-hKd4 zd!$2+AeOX5VT&Cs5IYDDs|mf7d0rpqQVpq{O4J0yLu~q;i6PG7)I%Qm212<5sFfz? zJ1>5_w7N$ht`;tHY!bQME2wQ77f)Ct)&gKdAcdC76}6zL)Iec8z|=$^Zeq>kC=BC9 zz>2n|TZ-rG#HLI++3vkuJ4r=C@21%NEsdww|FmMjL_JrO;`dB*w&V#5VKb<|CDZa$ z6GTnNh^sj%b3`7tPK|1 z45@N~anf6x7EN;~fbMV3D8}oA?!QtTT=3yF@p|ig8c{Sb+5n4r|NXzx6mYjKy>Let-tSUc6)#DGOUw9>uPIz*u4A^9%VM^1hQaDv z5_8l2l(dwycy$%vjHXPHL@h;csb~-Poc+p+XyPG=%hS%Bb5xwp7iGRU?e7C!x{1G> zptsbZX8I>f<_o4@qy zOV3yO-J$%w@m19c!#{7%c#~XrFM{_|N>Mo5sai-Hs9FGQ=7^6#uk4>FNtp2ujp_7D zcjx|7{vP)YlK)^qMDhcE_M;qO-1;xHfkq znvM)PvPesnqx*Xx8Evuma1V#%_5FEz=ID=C8J>WFAJ);Mq>?$oi!gRA8!bM>FEDKG zTSq=jD%~ip8NJy@!wa82ExJ&n*V)t|yTJN&YXSU+IS7(tKe?qw!U*R#- zPDm!QE7i{QK66XXS)3R%MA1}8HCnuij^$6J78_I7+A}Tn;bS?+r*jd>zCxGSN8`ej z!D?gQa4+8Clfe>W&~C#LjFO)g9i17!@9qC-en%PdS3*(RH_TZeY{6n1c_)vhsndC1 zl{^Pf&{*-|PX2W6(AG#Ul2s+~Z`nYRo+W3QEjkd?`tHOrlxg|L{Q6qIg=;W zo;5+5-Kpj+qNIKve8J--bI)pJw$}ymF*m^?+^uc^V$eZTm@Y2<#%w;N;6j;rQZfr+ zF-P^a%F{F;2az2y=xaCp=8{=X^4q*)c;X&AMB7uhnWSd~4{DZL=ALQG5=$)Xq$uBV zXz}nbTW6L_ms;95BA+j|GY0TbBX*OX`HV%uH(#mvY|&VaS^lSLwBaUG*OsbUhmVX1 zkY*=0K~fe*>BE_9lCxjMZ2TIBN3j-5&QA0sI#)?GTiQd&=qltAqoUMwS^>05rYI!E$%jC0GQODNc~p}mC~Z3miVCLgp7?b zFjB=DXDwvk!@y2T`;MM+ABc4Uu+y#p4$5d?GJy+br6L{l;c#k_G_{W8$k<86Ct29F z?ttxgkSdTsOd;~rzdNA+)k2*UDr&-;9o+1UT1VDTOeUMucwlch{sWJTI!EGN3Zi@OZ;?-JiieX0y6zx&+vGY3!8tPJ=Czu7Dz&>@#eML(P zjJBJm*2%(7YY2pH+qHkF?!R>UtZzMLfQ6MFum+u)NfCO(_68g`nC}QrW=!oi&e%>E zllK~VEYT&TdhVlalj4k`C~XW-#NDN9ouCJOUBG-9oF>VGW-jM~$;Kyf?8!>$WFiHD z;I;f5q@;G&JfhE=qO0ju3x7TZi^ML_O|)Bw=$Yvd$dCSrxeN%?$vW6Jaz4tRRw`WN znokn=wruM|?b+pA5rqN1r*BRh@mq(}WZp?yEE%X{Xei8MuF~arxQ)P#Q^Cj5k(Uxc z40QHrq$UGnJl=0$PzaGu0^gD}Kc9GXRCh1k{hbJ*6?GTZ zvcy1WNMT8fyg?#Zp#AANibSDy5J`*UxhANR6O^PyIoX}Tmh1SjUhG>)4-FA)PAaWj zhSMag#Djuwy9-uJ%dRCz9jYN0NyD*n4B>qnB=Czcsja>1%mnume#(QPZJ_tfj=T)a z`&v&CD-;7mUH6<*sgGCB;6CGnHv7pLqN_Lo{|pXZ37IW9L)EuazCmj7=X~>!zL;wq zE4=z}zy*G)NzoEso%~Q^d)E<+7VsS3xwRAyif9Fo5y7a^^sadCf}u4Vq@ErmP_T89 z8d|x&!ebV0qWX5h$x6feegXKPBxi7O6J#;lxec0^&mqX52VWMGRpB+}KqQ~yfl0mA z;O(a;6gzxs0-GY#AoRB9pY4UdL`FQS$Eagr-ttGXkU{?(D8W$qoZ_lC@Yow3{h_}k8vQrG?s0Q3(j{|mtM|6&qwYHAkUb?A1> zZ3hs8*PisVb%mETf>nZSDQ}_(EdB~7sQswhk4+leyjWKHeb-yAP42h(u*#*pnm*{# zjJZ=2a5Vx2G!9BJkX3#vz(Dy9liDV_f06J1XUHoFzmEJg#{m_`F(QO1-|56g)JVjuL{y77P%puY@DB7F)pH*0 zc;v?q+`p#Wlclt=7;-6UZRfFUQWWyQ+;5!%-Nrg}=v%I13&Wx*^=yS&kaKU1 z3u!R{-HnHt&G?s1mrsI29!*-!%P_h4pFPlzf2cKvC4KjS%fFHur(N{_C447JIs_M} z1L3y(Otmd99qBk+{$y)z`~1T(Z7$Xu5|1HA=VeFzD-C>YPr8E&E`*>wLaG~&FX&{Uno`B2=K*Wf)A(n;ukoB6rLfUHqwfRRKQVM+=oo0VCL~Z@HOsEexmd2=9M$xeaxP_#5vKgbG z!?8xXu9ktx4GiBl3P2?p1muK5!q!&v>7x|RX>h&`gvkvds+Ih^J z_MWYImA|NDRjU+gep$T>@=|~N&3eNLtbp81!gTAL*KDi39_pk}d9|dwYTu7X^I}~u zmvd=wLu+06h94o0)3&|#^H;BiT1~0RPLm5n6@cYSGSAIy%`pVjxYGc?mIY@(b+$}^ zMU_#(%b(5pm(LCdcZR~@yoV6V2(vg`id$AUlGEmCL5q(n2?802;X3-0$XF3))ybc(RXJ%WSzX2}c z6zp;hX16(@@;F;Fr>yF|l2wU*{@U2PV3zEZ9-!!vZ@%Q5Q;8V1)kr(RXJ5Hw*{k^q z4ZoT7qP#g(&*Ea_+P$lFngghj5e_XG>7ma?t+~jdceXQzEZu(VW%S)cKiCUf1g4qo zE>kA$wxo+GuBREg+EbuE1M#S<;AjmV$bU9>p(o$rF?W0q{^0d3hk;wAp%vBN3z}9(;J(wck&m+IF*lN)9%_1?UG%4gM4j2q!V6aG6pmnU Date: Wed, 7 Apr 2021 21:06:59 +0000 Subject: [PATCH 7/8] for benchmarks only: use 128 bit randomizer This is just a commit for benchmarks and should be improved if 128 bit randomizers are to be actually used. 1) it does not follow bip-schnorr batch verification 2) the randomizers are not uniformly distributed in [0, 2^128-1] for no reason 3) chacha output is thrown away --- doc/speedup-batch/bench_output.txt | 134 ++++++++++++------------- doc/speedup-batch/bench_output.txt.log | 2 +- doc/speedup-batch/speedup-batch.png | Bin 10303 -> 10359 bytes src/modules/schnorrsig/main_impl.h | 2 + 4 files changed, 70 insertions(+), 68 deletions(-) diff --git a/doc/speedup-batch/bench_output.txt b/doc/speedup-batch/bench_output.txt index c6ae4ec90e..e9608ba641 100644 --- a/doc/speedup-batch/bench_output.txt +++ b/doc/speedup-batch/bench_output.txt @@ -1,67 +1,67 @@ -schnorrsig_sign: min 24.4us / avg 24.5us / max 24.5us -schnorrsig_verify: min 41.9us / avg 42.1us / max 42.2us -schnorrsig_batch_verify_1: min 50.2us / avg 50.2us / max 50.3us -schnorrsig_batch_verify_2: min 44.7us / avg 44.8us / max 44.8us -schnorrsig_batch_verify_3: min 42.8us / avg 42.8us / max 42.9us -schnorrsig_batch_verify_4: min 41.8us / avg 41.9us / max 41.9us -schnorrsig_batch_verify_5: min 41.2us / avg 41.3us / max 41.3us -schnorrsig_batch_verify_7: min 40.5us / avg 40.6us / max 40.6us -schnorrsig_batch_verify_9: min 40.1us / avg 40.2us / max 40.2us -schnorrsig_batch_verify_11: min 39.9us / avg 39.9us / max 39.9us -schnorrsig_batch_verify_14: min 39.7us / avg 39.7us / max 39.7us -schnorrsig_batch_verify_17: min 39.5us / avg 39.5us / max 39.5us -schnorrsig_batch_verify_21: min 39.3us / avg 39.3us / max 39.4us -schnorrsig_batch_verify_26: min 39.3us / avg 39.3us / max 39.3us -schnorrsig_batch_verify_32: min 39.1us / avg 39.2us / max 39.2us -schnorrsig_batch_verify_39: min 39.1us / avg 39.1us / max 39.1us -schnorrsig_batch_verify_47: min 38.2us / avg 38.3us / max 38.3us -schnorrsig_batch_verify_57: min 37.2us / avg 37.2us / max 37.2us -schnorrsig_batch_verify_69: min 36.3us / avg 36.3us / max 36.4us -schnorrsig_batch_verify_83: min 35.2us / avg 35.3us / max 35.3us -schnorrsig_batch_verify_100: min 34.2us / avg 34.2us / max 34.3us -schnorrsig_batch_verify_121: min 33.9us / avg 33.9us / max 33.9us -schnorrsig_batch_verify_146: min 32.7us / avg 32.7us / max 32.8us -schnorrsig_batch_verify_176: min 31.7us / avg 31.8us / max 31.8us -schnorrsig_batch_verify_212: min 31.0us / avg 31.0us / max 31.0us -schnorrsig_batch_verify_255: min 30.3us / avg 30.3us / max 30.3us -schnorrsig_batch_verify_307: min 29.7us / avg 29.8us / max 29.8us -schnorrsig_batch_verify_369: min 29.3us / avg 29.3us / max 29.3us -schnorrsig_batch_verify_443: min 28.8us / avg 28.8us / max 28.8us -schnorrsig_batch_verify_532: min 28.5us / avg 28.6us / max 28.6us -schnorrsig_batch_verify_639: min 28.3us / avg 28.3us / max 28.4us -schnorrsig_batch_verify_767: min 27.7us / avg 27.7us / max 27.7us -schnorrsig_batch_verify_921: min 27.0us / avg 27.0us / max 27.0us -schnorrsig_batch_verify_1106: min 26.5us / avg 26.6us / max 26.6us -schnorrsig_batch_verify_1328: min 26.1us / avg 26.2us / max 26.2us -schnorrsig_batch_verify_1594: min 25.9us / avg 25.9us / max 25.9us -schnorrsig_batch_verify_1913: min 25.6us / avg 25.6us / max 25.6us -schnorrsig_batch_verify_2296: min 25.3us / avg 25.3us / max 25.4us -schnorrsig_batch_verify_2756: min 25.0us / avg 25.0us / max 25.1us -schnorrsig_batch_verify_3308: min 24.7us / avg 24.7us / max 24.7us -schnorrsig_batch_verify_3970: min 24.6us / avg 24.6us / max 24.6us -schnorrsig_batch_verify_4765: min 24.3us / avg 24.3us / max 24.3us -schnorrsig_batch_verify_5719: min 23.9us / avg 24.0us / max 24.0us -schnorrsig_batch_verify_6863: min 23.7us / avg 23.7us / max 23.8us -schnorrsig_batch_verify_8236: min 23.5us / avg 23.5us / max 23.5us -schnorrsig_batch_verify_9884: min 23.2us / avg 23.2us / max 23.2us -schnorrsig_batch_verify_11861: min 22.9us / avg 23.0us / max 23.0us -schnorrsig_batch_verify_14234: min 22.7us / avg 22.7us / max 22.8us -schnorrsig_batch_verify_17081: min 22.6us / avg 22.6us / max 22.7us -schnorrsig_batch_verify_20498: min 22.4us / avg 22.4us / max 22.5us -schnorrsig_batch_verify_24598: min 22.3us / avg 22.3us / max 22.3us -schnorrsig_batch_verify_29518: min 22.2us / avg 22.2us / max 22.2us -schnorrsig_batch_verify_35422: min 22.1us / avg 22.1us / max 22.1us -schnorrsig_batch_verify_42507: min 22.1us / avg 22.1us / max 22.1us -schnorrsig_batch_verify_51009: min 22.0us / avg 22.1us / max 22.1us -schnorrsig_batch_verify_61211: min 22.0us / avg 22.0us / max 22.0us -schnorrsig_batch_verify_73454: min 21.9us / avg 21.9us / max 21.9us -schnorrsig_batch_verify_88145: min 21.9us / avg 21.9us / max 22.0us -schnorrsig_batch_verify_105775: min 21.9us / avg 21.9us / max 21.9us -schnorrsig_batch_verify_126931: min 21.9us / avg 21.9us / max 21.9us -schnorrsig_batch_verify_152318: min 21.8us / avg 21.8us / max 21.8us -schnorrsig_batch_verify_182782: min 21.7us / avg 21.8us / max 21.8us -schnorrsig_batch_verify_219339: min 21.8us / avg 21.8us / max 21.8us -schnorrsig_batch_verify_263207: min 21.7us / avg 21.8us / max 21.8us -schnorrsig_batch_verify_315849: min 21.8us / avg 21.8us / max 21.9us -schnorrsig_batch_verify_379019: min 21.7us / avg 21.8us / max 21.9us -schnorrsig_batch_verify_454823: min 21.8us / avg 21.8us / max 21.9us +schnorrsig_sign: min 24.5us / avg 24.6us / max 24.6us +schnorrsig_verify: min 42.1us / avg 42.1us / max 42.2us +schnorrsig_batch_verify_1: min 50.2us / avg 50.3us / max 50.3us +schnorrsig_batch_verify_2: min 43.5us / avg 43.5us / max 43.5us +schnorrsig_batch_verify_3: min 41.1us / avg 41.1us / max 41.1us +schnorrsig_batch_verify_4: min 40.0us / avg 40.0us / max 40.0us +schnorrsig_batch_verify_5: min 39.2us / avg 39.2us / max 39.3us +schnorrsig_batch_verify_7: min 38.4us / avg 38.5us / max 38.5us +schnorrsig_batch_verify_9: min 38.0us / avg 38.0us / max 38.0us +schnorrsig_batch_verify_11: min 37.7us / avg 37.7us / max 37.8us +schnorrsig_batch_verify_14: min 37.4us / avg 37.4us / max 37.5us +schnorrsig_batch_verify_17: min 37.3us / avg 37.3us / max 37.3us +schnorrsig_batch_verify_21: min 37.1us / avg 37.1us / max 37.2us +schnorrsig_batch_verify_26: min 37.0us / avg 37.0us / max 37.0us +schnorrsig_batch_verify_32: min 37.0us / avg 37.0us / max 37.0us +schnorrsig_batch_verify_39: min 36.9us / avg 36.9us / max 36.9us +schnorrsig_batch_verify_47: min 35.2us / avg 35.3us / max 35.3us +schnorrsig_batch_verify_57: min 34.2us / avg 34.2us / max 34.2us +schnorrsig_batch_verify_69: min 33.8us / avg 33.8us / max 33.9us +schnorrsig_batch_verify_83: min 32.6us / avg 32.6us / max 32.7us +schnorrsig_batch_verify_100: min 31.7us / avg 31.7us / max 31.7us +schnorrsig_batch_verify_121: min 31.6us / avg 31.6us / max 31.6us +schnorrsig_batch_verify_146: min 30.5us / avg 30.5us / max 30.5us +schnorrsig_batch_verify_176: min 29.5us / avg 29.5us / max 29.5us +schnorrsig_batch_verify_212: min 28.7us / avg 28.7us / max 28.7us +schnorrsig_batch_verify_255: min 28.0us / avg 28.0us / max 28.0us +schnorrsig_batch_verify_307: min 27.5us / avg 27.5us / max 27.5us +schnorrsig_batch_verify_369: min 27.0us / avg 27.0us / max 27.0us +schnorrsig_batch_verify_443: min 26.6us / avg 26.7us / max 26.7us +schnorrsig_batch_verify_532: min 26.3us / avg 26.3us / max 26.4us +schnorrsig_batch_verify_639: min 26.5us / avg 26.5us / max 26.5us +schnorrsig_batch_verify_767: min 25.8us / avg 25.8us / max 25.8us +schnorrsig_batch_verify_921: min 25.2us / avg 25.2us / max 25.2us +schnorrsig_batch_verify_1106: min 24.7us / avg 24.7us / max 24.7us +schnorrsig_batch_verify_1328: min 24.3us / avg 24.3us / max 24.3us +schnorrsig_batch_verify_1594: min 24.0us / avg 24.0us / max 24.1us +schnorrsig_batch_verify_1913: min 23.7us / avg 23.7us / max 23.8us +schnorrsig_batch_verify_2296: min 23.7us / avg 23.7us / max 23.7us +schnorrsig_batch_verify_2756: min 23.3us / avg 23.3us / max 23.3us +schnorrsig_batch_verify_3308: min 22.9us / avg 23.0us / max 23.0us +schnorrsig_batch_verify_3970: min 23.0us / avg 23.0us / max 23.0us +schnorrsig_batch_verify_4765: min 22.7us / avg 22.7us / max 22.7us +schnorrsig_batch_verify_5719: min 22.3us / avg 22.4us / max 22.4us +schnorrsig_batch_verify_6863: min 22.1us / avg 22.1us / max 22.1us +schnorrsig_batch_verify_8236: min 22.0us / avg 22.0us / max 22.0us +schnorrsig_batch_verify_9884: min 21.7us / avg 21.7us / max 21.7us +schnorrsig_batch_verify_11861: min 21.4us / avg 21.5us / max 21.5us +schnorrsig_batch_verify_14234: min 21.2us / avg 21.2us / max 21.3us +schnorrsig_batch_verify_17081: min 21.1us / avg 21.1us / max 21.1us +schnorrsig_batch_verify_20498: min 20.9us / avg 21.0us / max 21.0us +schnorrsig_batch_verify_24598: min 20.8us / avg 20.9us / max 20.9us +schnorrsig_batch_verify_29518: min 20.7us / avg 20.7us / max 20.8us +schnorrsig_batch_verify_35422: min 20.7us / avg 20.7us / max 20.7us +schnorrsig_batch_verify_42507: min 20.6us / avg 20.6us / max 20.6us +schnorrsig_batch_verify_51009: min 20.5us / avg 20.5us / max 20.6us +schnorrsig_batch_verify_61211: min 20.5us / avg 20.5us / max 20.5us +schnorrsig_batch_verify_73454: min 20.4us / avg 20.4us / max 20.4us +schnorrsig_batch_verify_88145: min 20.4us / avg 20.4us / max 20.4us +schnorrsig_batch_verify_105775: min 20.4us / avg 20.4us / max 20.4us +schnorrsig_batch_verify_126931: min 20.3us / avg 20.4us / max 20.4us +schnorrsig_batch_verify_152318: min 20.3us / avg 20.3us / max 20.3us +schnorrsig_batch_verify_182782: min 20.3us / avg 20.3us / max 20.3us +schnorrsig_batch_verify_219339: min 20.3us / avg 20.3us / max 20.4us +schnorrsig_batch_verify_263207: min 20.3us / avg 20.3us / max 20.4us +schnorrsig_batch_verify_315849: min 20.3us / avg 20.3us / max 20.3us +schnorrsig_batch_verify_379019: min 20.3us / avg 20.3us / max 20.4us +schnorrsig_batch_verify_454823: min 20.3us / avg 20.3us / max 20.4us diff --git a/doc/speedup-batch/bench_output.txt.log b/doc/speedup-batch/bench_output.txt.log index 90161b908a..02b974b5cc 100644 --- a/doc/speedup-batch/bench_output.txt.log +++ b/doc/speedup-batch/bench_output.txt.log @@ -1,4 +1,4 @@ -HEAD: 0b631c69 +HEAD: 1e850ba7 checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c diff --git a/doc/speedup-batch/speedup-batch.png b/doc/speedup-batch/speedup-batch.png index 7f2b76bbfe1ff1854b0ed89b08d75ffddfbe6a9e..488111b6db8583e9bf5fca84607d9233f338c3a9 100644 GIT binary patch literal 10359 zcma)C2|QHq*T05IhL~!yWE+wtvSybVOGO)!Es2DZ>{~LJp%7t83Rz2(HT%9KdqjjV z6J?1owipwd_YU&w_y7Fg&-?mV=05j6=RD6j=Q-zlzSn*I^QZQ}4#EHc*rThXeE|UI zkpKWO-AxaU zbRCu|ZG{a705le$VyOYtPcM%g0jHuzy1;n{4<3}0lRJ0roSmIrKtMoTTwGycVO?Ea zdwcu%_&BIyURD-Q!smRRm^Ydqp;Af2Kx)a`JQ9i84}jVL8}N64V7Q=UxXI>qI2V@- zxD){B2>CD#(3VIAK76DiqNxG;^H?nP1n>*%HudDr{KSLmQirl&=H+EV3KmIy36KIw zkAWUy3K6f5Hgb@{A^~+%-Pc0F?k#KaEDJ%%od6l=K4?% zC+NuoPt=xoei*Tg-AKf1!@Y;7NiW!_vgFwpygx!fF8fZ!JfNiya54E=P@$090DxYw$CJv4i! zRTt$OrhCOnTiy@Fnjb$-oX^+8w7*z8JYDPRfJ#8L%y2|gUg{%TzlNClzmz!R;BIp8 z<(h+qNrzR2kBL#ayb+mPX%>^6b+}YgabYl`Js8x-&zzPWo(_bk7w2k*wU^3MJ_R(7 z>w7!ga852(-nBTSCS}6bL)OCmiIVkrMsP1F-p5C8& z&cwVC;^5_S6xqM%YabW+)aR(#oTxQO9Oi1px<0aZK9?Isu_dNBt$qr)ehFFa*OzW? zup#KPlJ2=It@lC-zcQrtEy%U6TFqg&Y~M|FdyzvW1N9!ou|r>_7+^y3zXYC4een{1 zF@>6Jk|#bpqBtAUq<87pvd?P$oAoqwa9{BK$TiLV2T`+BeexdG70_NOHx#X-s}@U- z{emp0z95tiHH0*NCpxH(Do9m#a~Sze-;|MBtJeZuX^wO6-7^;sL&v`;0c@LBJ@jqB16^~!g z%PhEGI;3N1Vb)g~4$+OwMaRGOA8#^yZ;pTVOku5fX^!2dX5AOZIXyYl@*wNsLQgHU zd+@uXYzfi=-22Rz`3Ou!@4;Qz8uaPttD!MR-my329WJ3dIIbC8t@vhE3$ty+uy*@h zt-+LjAXlEd?hYeI+)?SI7=rfvGJ#<&$V69gHQ{eN^HlbCYJ}COW8{0yN(*y_@_J7h zfPq1_jw_(_#EK zKPmhdb!Yb)4hJKg$J(pl2FB5@YJVx?@hG-~CXwmKtv}yVXiv!$A9@_u>L!=SiyO{3 z-rK-?NHjD1mNCxGT;Iq}X++w5A&laRe=aFv87qb26IlrGuy7cqNGLdvxtEiFi-9T} z-2HiM&f!>2DThtD!jqf3s#my2F)inO2el6O7@i~eXS*ppgjg}5QaMYROl+I)LxAj* znaCmw9>i{ZDvD|BTMGKW=Le+Y?+x=+M;Rr`9;_u43aNvL!hxEFywOqT@VBkb-S{d< zT5~4qH_8B+T81}9oGVXX)20j;r1Tz2FAFwpc))Cb;^Sk73In8SilGGZu)>2#eI)X@ zb(}g6L}pa;lEJa@cqcImC?Pq-bU~|qTLw3@fWG@Ya5>2|gDnI-$b@xpA82hn9m>Vg z9rj$T--BP=QfW|xq`ud>>0Z(E8*TDLLFnSRq8a%<-U~AF{IZ{0{yy6Lha(?rl5w%F z0y(1bZs*AUlzN}wZ%(%V$T3Bhc9@3~oosbf>0Idc#W`aFi}nNg`_($xhS? zU+$?k^lwkC^Ko?4)i!`ie(suWav)pUO8nl8$uLg7<~@kOtlQN)O+#{#Di2wshYZpw^ShHK}z^ zwRS{lN_wkUf97QlCPjNAR=q@P_NUs7K6R+z7X=qXKmyesqpTWQhh zeR6qG+{MRG&bME#-~91>V`CV#eA&20sI0cP`RLf*Hmz3!tK;#cxy7lL(>ItGdwDsc zo_apu*SEsyV?;DNnxy(Y0`SbdKTXFY_ntZ0`E`HynO&1XeiZ`X=2MtpLJWVLPV%O_ zCR?S9D1N)U;~r~V!b}ZIS|ZTJK%WKQ{0rR|xO1CKtU5w+K>vx6O(V}T0HIu<^|7%# z-b!?8=7P&frX4t8m^;Ncc5p3MbTvXrV3whdV)dPLhvsN?QT+1GBTnNPNmh#!HORk% z6}kC%XfYosJAn;mbA0D!{xfgJ?F;b=>W1NC>Ma~LnT|f|I4$%f^pU=QJpVqY$ld$y zr*^eJVdM4!?WG9@b739afeqZA5;LNOZ~LZ+$2G;dKNtNT8AGnSz$XA1twAOLF1M{P znUr+CL+`0xmxuedl64P7m{5Co`+TKO*R@}GF_q)oE=N9>bJwef<)c}MvokVDY52WL z%*&(SO-B4{BcR^`#IIa?3^^0>O?B^01%HYzsWZx0RrmMabKdw=bdvw*)f@X@M~^&Y zgK5Wi>P4z--6@5Xk8<6sW#!8$xnC;K#|&NUN%(c6IN3@9&p}L{$WKLUE>v^19^3*W>$Ox9dc`~bu4Xta?NI-%^~GpHaw)e+E9&_atE?D2#OJK$(T+~; zE453D*GVVwA(PWeO_1_R-Cx%(NQK-%OIS_hCuJ1dWIK{cHGF+Fe4R3 zSj*BawtyB0TZ*RMX!}A3?G6YNu&A5f$1@K9rfn_I*Jybtn|3s*F1@Cn*Spf>M zcXoq*1{6f$8rw3Sy5vd1nJAZz5qY*pP=xAn;Mdp1JvS4_urn%T) z-{wcm{ygC3&V2Xq_2*L)+h<9+KSH^s6ZWav5x7n!el=;-XUX@6B9__~wu(6hr ztcA%NwYsGNthy%kJ<9KR@~&&vcvZQ@;lU&0OF)B$MpA|pJmKbZiLLXsbEJD_m1xxl z%pu^Z=Pvtp=*YHl*(#yTLK084dOEgi$l@Dr=)MEs!Hf;$UTfF|S}HvSZ5^}~0N_on z>{r_dQ*GuXP8$k7@TJb_%PTOQfO+aKgC@{zN6;`KgC(P;wG$2M0DZ>St|&;00zQOJ z+P1rXfAs6qcpJ4C{nx2~0WL!dT*kar=;5H8_icrxbSlzZZ}<_REVf49ldAXpncERT ztdg}6UQax+y(Mt#pBLI>xl;}m0KRWqPRDLs%VJd#WPZbe2$eozWX-HWf+eunQ7Ta6e7bI&ZpzFj80NrCbS_f>dfc73ML)QVSgpGnT#zm<1? zPk@0NtM;DR@Y9<3c79(}RD@~AX3nEv2{$2ij0Il5uNGGC=`x4|-~vXznfJ{IfmOnK zu|N3PyS3;vb_$i@%&&niAJe+BN882?2MRn1HqS!q zoXVQW4U741-2t;Hq0_)6kc`#d-bEzHlm)fJ8c;|4Fy2nWz;&y{)1?zbqmQ5KZtu=qdwE}Q%(y=cyb_PfQQ*R;N%aYd~*81!EUp{yB zp8hy-*!#p)QCelxB}Ms*mYW|NKTWC_@OWI@;d<`Q`Ut~*=&h;T(vAYb_1?}dTr2j3 zKJt=_6Yr_blDo$zfHg1J7j2k3?&NJb`vseVJ`aIDe{pnhpqvmfT6fhd^d;cL$K@k{cBp*t5(Dqf z5oz_rEJuv8|EZ-tiI#T=LL!~c|F?$;(){O9oi zeovRAHTrnBJ&KV*4XjB}Hy<5UoF!wgtK+6c-7Bu{;+4vjC@j5GuG0kZsX~e17~CL8_Qh<;cnDK_ZwSPvd*eh@ z|1qH$v#^oaQyyj9&GJxdWA$CXbfeam&c_C|ym^jpAUJeA7BAnR_XzA{j6;MD-6`q} zB57_PvzT#F{3L|;J9?(PXU1zW-(bl)%7nYF5?9rIl=rm$D4d5wTB*^&;SyFMChDxUshIECI& z7lF`ec%1#C>}qJE?eyJs9kLx5=1x~U3Hr#(`bZ8JTKdXm3pT6;3!RIfKC*VJn6o}{ zK7tP-4t0Uu%2p{Ihf_YxHVKfbX?l6U2*?V=^&0Ia_S$f%h=z}$ahHRPyyeZd5+sK5 zyJs)OX;-}4VRA)fyu?;%t>J;X9oV{N6plu4T3ZBq(x$MU6&BM+KD8oRoZAZVHUYPp ziR!z)I|H=7BhjYW1k^^SB6$F?7VMWx_(rIn7j;r3b$3 zzjL2!_`ZJOH`)$jE3;t^js`I$gWkHkH-#zqm#3>XMh@@o#7SWP5F!K33=i&SYpp1dMHpX=?iu~>{!c+x8lfUp@o+#!; z=o=4n&(}w)QE+Ry3YAgXhPh*sS$7%-s-m0Gwet_^XF-r}+iIM6Rdyf{;q6eOHqH)u zo+JH|rUgW)GjkTOzkf!*J!F7HjZJ`fw}Cm>6o3{0 zFb1p8V!&(Zci8qLU>K4Rsx<*rCq~|fP~hPOQf0>4?yZkMON|Lbzz&Q?s78KIvpkzS zb-r|zg@$r%^4Fw9s#4K)QHB@I?3|ZLg8wvl*3C<_^fyo|7rq0%!+7(;Rx&jSE8j(3 z0$cSyBAU*y$#VQ(OI?+2d=hi-siG_iZCwb9t0QpZTI% zxnUCAVRPEA2I$8`@%-)_o=2dFEYY}48YLzP`;p&}KH zzF=DD&+HbUrpT_d1COF-Rx=IH1w(v_JI^M!>sGMECzr}udK9qb@ndoXIv4AYE&Uva zalyV#Nju5O-tF@N%7l!3LtUmk$h3rfZ#sC8O`4Ie6<@p*^^!Rqwx~uv@Q-v5eD$&> zjY*d8Y22n+#Jtq<+^(II^nQC$a72h~`EtcKe`PrJY2=ylHZW+|9m3{u__?jB7_?pl zp^T`r{Sz}^#;;$wu|`rqusLKe0;en6$BO~+ZYcdl#?`GntllESNU!J@1x!$65n&1==ws{ddTr)DS{0y0nEl6Z5mXXFSzS;YBu+ZOnav5{cD2TART zc-Rs{_-#YZexyn~4j#wTfe_se8q`-x&XsUEtYS(BRw3DIW}xws!h8k$j#dlwWlKmm z{Brd6eE?^KDF!O*Xp%@m-sSZ7P@y+*SogiP&*vF6%!C+nb!%fcxA{I(x)1T55oTHV zJ+0^6S!)FR?pAldoq74iBsf?RgQsNJTc%x0$-32PN(~U*y_og48|prx-$(u3jbu;i zO2`1u>w@*<;+$j;hFOCoK!tL$(H0{G7NYPY?`Mv>NcI(>v;B?>52vHoc1S7E>ORIC z=WvhTlN;mNbu>JZgSERMNLGS-_cI8S+PIf`LqSx(kkG>ez{8QG=r2`IlA`_B&n{R!O0sJ<;RP>Q+YjHAt~ve4lM%*|LLYtq zAVTL+wyJ*F--)V*g#HTI2^Pbd)e8E1%ph6@G59nqLUJ?zdfa70NdBQ7(p5i3hJbhe zz8)GEccSkyum_u;k`*lp9#Mvo{kAcRTG>_mRP{N-wpmld86^-<%WS%FwC@EV(M2p) zX)ZSfFvz?%wY+C>I!SY??3(Q~dT`@ivmv7MQGg~b@a0Hy9-*66IRK4o5bWRV*=*kG zlCX^SBFNpj+IqaBP6ZC{GbI8oH+F$pcu;HA7@5&hn=*AicU0J2H7_$$vXGc@Z7&M7kfY1x6U z33;EBsk)04^P?^Nj5s9-Axtr7HqIK5cRnqeJWDxiR&Tm+LB#`Dl{!vMaL>Yll|R zz_K}v`wTrHoqb1o&LI%2XWg=vrPh+ALpOy(Z9+w!U?d$!CJBU{wW<|VpB*| zckp%2<^wJKl>1w{tec{`{d2?Wgf>L~40WGRIdmBbh=M>xsm2%zV-VG9SJG0=-4JnB z&?(z6-P9p7$}*b`|3J8fcUjBdTD4(-I2`yeE+266>&(Ma4>w7_!&UqYr*OdGnHQW6 z)+4;(M+rBl z5l#n<1Kt2HK)ST!ftG|k4IzQy1cAzG(aKlpsDKB^C8Q#D86#Dmz|vk)e4_7ctcmn1 zTw$t>)bb8pwtwb|E?lF%QK7{$nC(n`E4kvUrc&#=Q*Vb#F*1~Q6wo>t+Fg)Fs6huS z9v8aRuV&2(a6d9hQK|D3u){!OgS5ZVfL17%B^^v?-zIN)N->n~!0O@2$z2A>k*7$z zb+&1kjeFrK+Uu6B^4MusZRl-Y2%_b!5sw=VNJ?kba z7IMGupJ?L!xO;+k#6-Z3P*{yNmKVQAYi~A*dXfh2a{cDVN+{17fMUrvN8_;k!LhDv z!KP1Lwp9Cq&C=#a5A8#omN-iqMYcnM{#oC4(%fP5QjarVy})__x6(j??%R5AM3Yt| z0(LiPG^RME+pY6$ ziywy>CP0>Elt%nCvx&Yz|CMZ3?|=X-tSi9>1YTIw$q${L-|2gr^aBHCX06+q*aSq<}JjmJM52hi+GxN z#zF{NQ)Fr&_FC_+f=1%rAy;U3cHleh@cyNA2bI$Z@qgu+|Lc9tANc=olKX%2Fv!>b z+a{Q}wIDw7?+E)ZXOohHAi6DJU~!c9Y}mgNhiQ4QJ>R1j3mIwlDZ9R}CTt}l0DX1g z;ETWeOE4GT<W!uwQKI;!LkS)4qF$hpFJTtpCNhZ_vxM*W|tXZbPeuodyn!lf#3K z&4tgrR|WdQEs%4`-Oa=HzukWwN+TjI$4UO(L#1U-9vFj~f$Hi}%mj4NO>Tt|HilGG zsSzEX=@Z2dz~39~t|sl*(pgdd{aeg$J#hk+fzlk@vuH%x-4|`6TJtu?09mMeC*0?( z4RHB!(2=pPUO(80PG2gs*lR~QfDuksL`8LFUPy6Xvs@V*XzfbA`EB#XNQ(OQn_bs$ z=Oa;=r~ToB!q+ptCfD)L=`vx+ZNhKr#UItN&kao1y{(#b+QVxuuwqbj^uzggPrv7p z6ByX5o-<`HoECc1>bt1oqEsk1&i2jUS#S4#drb7s?W85@Tq{$;ho5C@GOJW9f8_ib zIdam|I*z>C5P`glkgRIhG#2Q2pB4F*%7{@tHN!ITWoh5)w*z{}v6$0V#U@vImH4zm z_)UIN>Aqj*O0FmPUV&IvePg;?b%7~+5svq9qT}az@aHB_G7d4+WmI zODdi1meHj~=>D=uFR3JAdwS;ezIOOtf(%!6Gci+g^ zLqw5G%n9)l2fLvQ4lP+mj?2T8MdHF}m735|Jj~X(oWC8?Dkq0}oolMzocpSOtj|ie z@(BHR_XvLqNhr}R=OFf(x#hY_qXfQU&@QJx_hm0R=J&N1U*{?w(OVt0wJ4KsI-oOQ zoLj*ac=1G%yu+nLqkHD#KaOM(Psf=24idg>N9-oOAUFmWWLwCcTXL`;JW$N#ZR8`T z?KW#PdeuLa==ZcmxK_~o~XADQ1U(Q)4} z<|u7yXHIK#Op3XeLj*E>t`Ybb)x>XoO+RR4cyYGg(>6Y8v6Ved?4{jDFVl+(A1gAQ zuI;y-dY*2fdn(bv`9`&K>VCptv9I)=2v$c*V|8BAD?2}zuO-mY>+(SMOS7!Ag@d31 zj{}Con1-AO9Y2Qhy8Qj-o)rH+#4*jB#{0V1A#Hid%MxkZ|EAfbEgMa!_nX#Ye&;<@ zqSEtu5}x-6#JhBp2#n z39^IV38i*3{)UORrNJzxy>$YI&T+>~=dXS8J;lBEnoow5{1Uu5{4>*xKi=Ce*2XW{ ziEci`3u7dK2=(pBz9Q@pH)FI|$Wgn<>X1Eq@>hpL`E@MmWRLE2*w?ZY!_REOJ`eXS#V@Hh&hxrf)jV}hk8X|sd@T5`SsUliJltV4a1>YQ5yK{=u ziI&ECCNr;{`ZTkCsW5^QO^^!Q?+?1e-^7=o!`h>w39QdiP}!NrOqfG(OxMzNsVDZk z9QaqPm(B6n_L&mzy*NHy?k`m@>VjSN^e2SNm&mj0^i1|c%6m7Qz-bWf$w=5mC%rxw zf^~(PZQ&?#*&|e*FOf6Yv~g(jA5jAO!ZVrTvngwq^3#;FibYrMMg^^cW()bWQ7J( XfuTK=V}}Gk(Z+O7oY&6Pv{FYDr*w5hGZT4mTji8Wt&nG$&x5pBWt#Zi9}?{ zUNguxmde=YduCAY`~Uvmb$u?3dFJ>0mUHfNpZlCgl)mn{JFJc0dH_I^>j5%AB-SGV91c)-{6?;a188JD zntaL{9Ss0TG(bj^L&;yBi->@?BF8$x`wkyIEF~qSqoZSQZyy>O`uOqVl9H18`udL_ zKaP)&gG($(N@9uF{QijrqlGatnK*olT-H!XB$E38a5caV{2eL~Eg%+cOno1H=#V?O z6#!_D_%s7hwnzp(eI~OfkVEws&}i~mU=8g#m3VVuBBrL?xgwn9_wS)}G@Se#Al@QA z0J?|Mhq3xdBWH0mJAh_qMmBn zy{x@~+|XWM6hua*li{_swP-ZDqoX4}K7M|FzOJrrbab?^urMtxO-)UWkB`sF$|@ZI z%o^s-gH~X2*E0120JbK|56weSHf{ib1Lx1EU-o}8m-;pNRRx>oHwAx%W5tb~^P!_j zj|Z6O?f4InXM(;OMcsNd#K0kIn@9sr^nZTAopRqkN6nV|Tg+}^qn*E830QrzINuv8 zFvmbFIU2y}GZI|0zW2V|oLly^+G8_EWDNiUsjwN3k?<6G?)C-90_Lh^G$6G!8n zOL4KA{T0qXtAD3yrMy|6MPj4_9GT0vjCI!eno3y)mpe2oPe>UWBd~-QRb7am??rn3 zS?p3K%rV~4y`zwp0iM^Y*dS6*_SF;k5xeG(X%DW4L(a$5BJY+VUAoyMTSH>5t?{3m z>Wy1|?HDD{!h=}ML}vDxRq~7D|Q?GHJ|RwZGLH-xSrs*k2Gohf|Fg# zv())?%|`cNjOa>{Y#*^BSZ=_5CT9KUQ0$y5*F3Y`V%YeSA?8bW^|g&JCuit=y1`>5 zLL~=`U8^|Wm}TL}4i+kT-3M8+$jc8_?96=%aqDsgcLwyp-1TIhw>bK8&W zFLM{4wS1o@-3*!X)vRZeyIN{qH@>VR`^Cl}HY|ebp`l#6+^W&KuUt6g zw`s=8N;=xDp)7W9HZqY_`+_<;v$<{Gh~hV1XvYp7K6JatB%|wR^j{1$|4UU$WFKVxUtqUw}K8Z^kulARD-zF>1 z+lH7ySK8igF1o007cEcWHV6~#MU2$Iwt<|f(n3@@tVTR;Cg$2!;^{`j(v>!74m zz_rAZqYLZ5a*``->8__5&xv%RSf&TG8F;RUT2`vEU6Sqj4sLxCFF4F+(KisJ8r{CW zsfo`av*R4B-hcyM=ODA6@r*CYYdvcDQnSVVGYF>>xOVzjo1xB7NS>3-J&1KQN<+f! z0I@ad02Js~m*H`&RzSeujsE*_?dq8S&JxIh4bo_{TS~)wH()~q0Rv=_7+@imOs~3C zcF24~XwL^x7ROn`f~mwuZX1ha<)*uQHqBwBnGUTo!w9VSTSt$Md0~}D zq@HJOB{X#x&ATH~`)??4MP@_R8rCfCCDL-Zxv^7#V0Kv`ZM{&q+?$0}(Qi5&Um|9BDuS$yANFWBv};i*FkSbbW;@_fj+sK0$(=%$*( zzNM2Q*f{f&#WtDYS;*p+(6?I1RW;g1Wv+~;%QwQgEUhfbn{r#kyWiGt^wqwT;KDWP zbfrb#WSXX_!)=wY%ztRRDoJ#-Ma>h}9p~0plb;bx2e{Ot^rL$IAbRqwmrM&a`!~X3ArIA#mN0?<<->=kyM%Iv@h zb7H1&os#aKY4}oao6pC=C@ay^UlG+(qJbSkU^$v%cAVWkCr|swYbl;nds-5e>?xxd z4w?psmmUB-(2!NuKYN&8Vj-?B_wXwGnLrH}_DOqayp{pnOedYNi09ZVxH#Ds@_VU(BM|!l#Ky4 z;k%$D3HBu=Cy=;3{+yp1>InglYQEQ(NQ?mQ;PUEgc`T~FYo6*yq8yACvn7z zC5b5n_Ducf_(BS{aqEs&z6Rn4ZH|4vA`ZJGweGL{x>BHObfn{-;Qkz|fHOV_g@n+@ z6xK>|MFtFf?6Tc=NsHkHXzNy+u0^5DqY2(t8-g0`&EkFDIfEX2p+Zx7+Fc3MzYQ^O zt3LPK=FFHWp@BJ%=taDL*wcLOn~|qy;GHH zJ1(@E*)oLpwe~qwDeT02NF}!y>u7K6m?)1)( z7u;Uhg`M+>O>1KAPyqBFkYgedD=Y5=i6^7jc9yzWVF14c0vNq#naB(t3^*dMieTBn zSHti*X2FUL;Ge@K81~%(Cw4hiyPx{155M(?NOjBctbZaGbUQtGEVgGMuGocq*Wf+M*L!hWyiygdi2^Cj?D6aX0Tg+{2(bkoNVVcvU}1O57Me zpwP6$-0~Xv)Sh?g)X@-p57`f;T`z&LpqlJ9s6kh-|r z8GoFAi|FS#?x&;o_JOK*TSgB*q06Shh zH`KsFh*XyTyODX{i#%$hC%KT_?HF)yS_6}i2L(=r>52mAZFX8Z3UbRo-mq)Yfja@3 zSV8Vae%x7?=*OblzUiqTJxGHS0-~mWyEz?+xyB^anszUin~BF6wSv z$)4SNJ=!=U&xzf=uOzoM@3PB)qp=EFT23?MPeSYhEHGG1p@wIOiwu(gH9(_|xs#PA z`ca)I2vSP_;!T1J?GA=Ry{ujjuL#vawxh$_+WJ_y%#$d^unV+BNDQL^A?~N4&rT4k zRTU~KuNZ{vyFe5WzhEdkDSBt;!0{;d$b&xQj|2O2l81O$i|ughs}b!Tvd9ccniKkP z$uFBPh3KmT+yuxI%_z%5cdJhImXe>k?%2yy$L~I`8>rFRC;UdF)4Cik-W1bw7kpe= zuX^hB{+49Vb!234q8H}v)A>GIQ+~n3gZ(tjXYRkVe~%-%sT}!g4tFc>YZGI>tIW1T zoMe1$84|Z1JL=gt{>iI&0ur!Q6LROz$5vJ1bwSv-qboY)k3fy_%fI_)4eRkN+MDjd z`O1ySZsp=9z{=w1;!W5Dycj(VvzJFY_^}mR63UK*bMnX6@1%Kh1sKrJ9hb6g=XtVt zZQhWt-fZWOfA{B819;{G9n0UdJT|}U@|m-CNjmU_Z?Ll%wrg%ersJ$b8Uxy_M55`Y z>BVN=HFv|k7u^CK?h~Wa&b;`#0w#VzB~+Dy)*BC5xAVM(A*hgFmk<0+4*iRgg|FUj zj!vz&7}VR<>lS&DB!?W|2G|?G%OOzDL&RGzef_U5>-4JaaACk?uL!K`vs2Y@{<*QSX1&>iTfaW2-p`%BSBHO&u8XF}L*}|t)AzFNlyXdA0&bj;GW(0> z-99Ra5g!cT#)jiQaSDupRndF@8}BE6VPMQjdx2t)wX46j2T?@q2Opjmb)s;ew{V{a z4+9PIAV@jrq#b^u9-w3Nlignc-{md*l=frfG#G90ORc%6Gb9@t_Zv+lo7L|-67Gx= z>d+&wQf*rGVw-8UzSezPd!v`O1k~tyF|+(+2_2%)8Yd z=4NnuFDzo5YCdN-F@b>Lj&yMLjiGZRO`*3^0>go zC%=eMXh<0#4ePZBF z{whn#vVxOuZfrnEeiV)Dx>j=WM^AgZ>uT1d?Y?8r^Fnx@STBi!)LX~IOfcRi|I(lt z$4gyA9q@*oJbo|n8B)N@3(PGc2Uv^0t1lM_jjd#FBqpHy5??gT+QHHlJ5y%JEn z495(&bUqNRjIKf@XK&^xt~PnwH0ud`p;SbEcX`FvO4w7DW*fYjlURXb1JY#W;M(kz z3Hzx-fX&hQoFhVNfg0ixc;S6cvLTh(O7G*0eH`;o&b0PUiZSuq|Iw)Z9%eq1Hb%Wy zCdEXuidM5|eTgG<&KDXhL{e`ZyMGXYm8RPM0&MjIgz39#G-x;16y`}A3vsp3-|*3P zq+tP}U|Mt8#d3kk+%k~M^V1tR8}q%hcheP7>g`p|=HdLkj;9zZ!`3(Yowh?xoq)ia zRkT&TY5st} zcanv0cK#?7a>Y8*M=ICX*HX^Zz%|6#6#iTSf$dI5qQV2K9*}7iqalv3@cNjQ@1PB@ zn8yvjmGdfpZ}8>o79`-_Sqz0}j{Ck9i3#-At@MjDsx7gFLh4f`0xYWydY4@}av%Z9 zRtOlD9ksXcx4Eng2QKC2#Qa{qQneCMEAQgHg?vF_wjz;_8Y|jy>^o8`j6g%O;Ps6- z0~Y5a6W323avt9IZi|++IPO+zb)EKkUU7Duqdt6!su~{HE*1HmQkY-^;RWg$YBp~H zO{-L`rz(3RT*Gd020Wlyt{2HWEdyq{p@_f^UWzNfqCB`Qkl5OaQ%GefW#LVG5KvXT zH$Wu>z@x7Z2S0#Zr$Ih=;PZ4aPr*WPM{H1H*#Dl~bu;*+pZ&hw7J_au-sh{8QRLtj zuz)F(mn0u62T9!yh>X3)a>+){&A$@&tsxb4NP3*2J3x{<%)s2(W&p1n6RVocN(+r) z3%fYpSI;C=hmm+P$$sgDbO@_*_D{JNvh#{n+Xe3Iy^9>UBjpDv?D=q#V)nplrf{KCY-0(WO}iOS_^Zd1p-#|F2Za)9OPSJh%Df%t8OCURLL>Ew-hKd4 zd!$2+AeOX5VT&Cs5IYDDs|mf7d0rpqQVpq{O4J0yLu~q;i6PG7)I%Qm212<5sFfz? zJ1>5_w7N$ht`;tHY!bQME2wQ77f)Ct)&gKdAcdC76}6zL)Iec8z|=$^Zeq>kC=BC9 zz>2n|TZ-rG#HLI++3vkuJ4r=C@21%NEsdww|FmMjL_JrO;`dB*w&V#5VKb<|CDZa$ z6GTnNh^sj%b3`7tPK|1 z45@N~anf6x7EN;~fbMV3D8}oA?!QtTT=3yF@p|ig8c{Sb+5n4r|NXzx6mYjKy>Let-tSUc6)#DGOUw9>uPIz*u4A^9%VM^1hQaDv z5_8l2l(dwycy$%vjHXPHL@h;csb~-Poc+p+XyPG=%hS%Bb5xwp7iGRU?e7C!x{1G> zptsbZX8I>f<_o4@qy zOV3yO-J$%w@m19c!#{7%c#~XrFM{_|N>Mo5sai-Hs9FGQ=7^6#uk4>FNtp2ujp_7D zcjx|7{vP)YlK)^qMDhcE_M;qO-1;xHfkq znvM)PvPesnqx*Xx8Evuma1V#%_5FEz=ID=C8J>WFAJ);Mq>?$oi!gRA8!bM>FEDKG zTSq=jD%~ip8NJy@!wa82ExJ&n*V)t|yTJN&YXSU+IS7(tKe?qw!U*R#- zPDm!QE7i{QK66XXS)3R%MA1}8HCnuij^$6J78_I7+A}Tn;bS?+r*jd>zCxGSN8`ej z!D?gQa4+8Clfe>W&~C#LjFO)g9i17!@9qC-en%PdS3*(RH_TZeY{6n1c_)vhsndC1 zl{^Pf&{*-|PX2W6(AG#Ul2s+~Z`nYRo+W3QEjkd?`tHOrlxg|L{Q6qIg=;W zo;5+5-Kpj+qNIKve8J--bI)pJw$}ymF*m^?+^uc^V$eZTm@Y2<#%w;N;6j;rQZfr+ zF-P^a%F{F;2az2y=xaCp=8{=X^4q*)c;X&AMB7uhnWSd~4{DZL=ALQG5=$)Xq$uBV zXz}nbTW6L_ms;95BA+j|GY0TbBX*OX`HV%uH(#mvY|&VaS^lSLwBaUG*OsbUhmVX1 zkY*=0K~fe*>BE_9lCxjMZ2TIBN3j-5&QA0sI#)?GTiQd&=qltAqoUMwS^>05rYI!E$%jC0GQODNc~p}mC~Z3miVCLgp7?b zFjB=DXDwvk!@y2T`;MM+ABc4Uu+y#p4$5d?GJy+br6L{l;c#k_G_{W8$k<86Ct29F z?ttxgkSdTsOd;~rzdNA+)k2*UDr&-;9o+1UT1VDTOeUMucwlch{sWJTI!EGN3Zi@OZ;?-JiieX0y6zx&+vGY3!8tPJ=Czu7Dz&>@#eML(P zjJBJm*2%(7YY2pH+qHkF?!R>UtZzMLfQ6MFum+u)NfCO(_68g`nC}QrW=!oi&e%>E zllK~VEYT&TdhVlalj4k`C~XW-#NDN9ouCJOUBG-9oF>VGW-jM~$;Kyf?8!>$WFiHD z;I;f5q@;G&JfhE=qO0ju3x7TZi^ML_O|)Bw=$Yvd$dCSrxeN%?$vW6Jaz4tRRw`WN znokn=wruM|?b+pA5rqN1r*BRh@mq(}WZp?yEE%X{Xei8MuF~arxQ)P#Q^Cj5k(Uxc z40QHrq$UGnJl=0$PzaGu0^gD}Kc9GXRCh1k{hbJ*6?GTZ zvcy1WNMT8fyg?#Zp#AANibSDy5J`*UxhANR6O^PyIoX}Tmh1SjUhG>)4-FA)PAaWj zhSMag#Djuwy9-uJ%dRCz9jYN0NyD*n4B>qnB=Czcsja>1%mnume#(QPZJ_tfj=T)a z`&v&CD-;7mUH6<*sgGCB;6CGnHv7pLqN_Lo{|pXZ37IW9L)EuazCmj7=X~>!zL;wq zE4=z}zy*G)NzoEso%~Q^d)E<+7VsS3xwRAyif9Fo5y7a^^sadCf}u4Vq@ErmP_T89 z8d|x&!ebV0qWX5h$x6feegXKPBxi7O6J#;lxec0^&mqX52VWMGRpB+}KqQ~yfl0mA z;O(a;6gzxs0-GY#AoRB9pY4UdL`FQS$Eagr-ttGXkU{?(D8W$qoZ_lC@Yow3{h_}k8vQrG?s0Q3(j{|mtM|6&qwYHAkUb?A1> zZ3hs8*PisVb%mETf>nZSDQ}_(EdB~7sQswhk4+leyjWKHeb-yAP42h(u*#*pnm*{# zjJZ=2a5Vx2G!9BJkX3#vz(Dy9liDV_f06J1XUHoFzmEJg#{m_`F(QO1-|56g)JVjuL{y77P%puY@DB7F)pH*0 zc;v?q+`p#Wlclt=7;-6UZRfFUQWWyQ+;5!%-Nrg}=v%I13&Wx*^=yS&kaKU1 z3u!R{-HnHt&G?s1mrsI29!*-!%P_h4pFPlzf2cKvC4KjS%fFHur(N{_C447JIs_M} z1L3y(Otmd99qBk+{$y)z`~1T(Z7$Xu5|1HA=VeFzD-C>YPr8E&E`*>wLaG~&FX&{Uno`B2=K*Wf)A(n;ukoB6rLfUHqwfRRKQVM+=oo0VCL~Z@HOsEexmd2=9M$xeaxP_#5vKgbG z!?8xXu9ktx4GiBl3P2?p1muK5!q!&v>7x|RX>h&`gvkvds+Ih^J z_MWYImA|NDRjU+gep$T>@=|~N&3eNLtbp81!gTAL*KDi39_pk}d9|dwYTu7X^I}~u zmvd=wLu+06h94o0)3&|#^H;BiT1~0RPLm5n6@cYSGSAIy%`pVjxYGc?mIY@(b+$}^ zMU_#(%b(5pm(LCdcZR~@yoV6V2(vg`id$AUlGEmCL5q(n2?802;X3-0$XF3))ybc(RXJ%WSzX2}c z6zp;hX16(@@;F;Fr>yF|l2wU*{@U2PV3zEZ9-!!vZ@%Q5Q;8V1)kr(RXJ5Hw*{k^q z4ZoT7qP#g(&*Ea_+P$lFngghj5e_XG>7ma?t+~jdceXQzEZu(VW%S)cKiCUf1g4qo zE>kA$wxo+GuBREg+EbuE1M#S<;AjmV$bU9>p(o$rF?W0q{^0d3hk;wAp%vBN3z}9(;J(wck&m+IF*lN)9%_1?UG%4gM4j2q!V6aG6pmnUrandomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4); + secp256k1_scalar_split_128(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], &ecmult_context->randomizer_cache[1]); } /* R */ @@ -367,6 +368,7 @@ static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned secp256k1_scalar term; if (i % 2 == 1) { secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2); + secp256k1_scalar_split_128(&randomizer_cache[0], &randomizer_cache[1], &randomizer_cache[1]); } secp256k1_scalar_set_b32(&term, &sig[i][32], &overflow); From 869e7097d9835945a1663a321239418ad2f93ca4 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Fri, 28 May 2021 11:39:27 +0000 Subject: [PATCH 8/8] Choose batch randomizers in range [-2^127, 2^127-1] H/T roconnor-blockstream for this idea --- doc/speedup-batch/bench_output.txt | 134 ++++++++++++------------- doc/speedup-batch/bench_output.txt.log | 2 +- doc/speedup-batch/speedup-batch.png | Bin 10359 -> 10251 bytes src/modules/schnorrsig/main_impl.h | 4 +- src/scalar.h | 3 + src/scalar_impl.h | 9 ++ 6 files changed, 82 insertions(+), 70 deletions(-) diff --git a/doc/speedup-batch/bench_output.txt b/doc/speedup-batch/bench_output.txt index e9608ba641..c8461e0ffe 100644 --- a/doc/speedup-batch/bench_output.txt +++ b/doc/speedup-batch/bench_output.txt @@ -1,67 +1,67 @@ -schnorrsig_sign: min 24.5us / avg 24.6us / max 24.6us -schnorrsig_verify: min 42.1us / avg 42.1us / max 42.2us -schnorrsig_batch_verify_1: min 50.2us / avg 50.3us / max 50.3us -schnorrsig_batch_verify_2: min 43.5us / avg 43.5us / max 43.5us -schnorrsig_batch_verify_3: min 41.1us / avg 41.1us / max 41.1us -schnorrsig_batch_verify_4: min 40.0us / avg 40.0us / max 40.0us -schnorrsig_batch_verify_5: min 39.2us / avg 39.2us / max 39.3us -schnorrsig_batch_verify_7: min 38.4us / avg 38.5us / max 38.5us -schnorrsig_batch_verify_9: min 38.0us / avg 38.0us / max 38.0us -schnorrsig_batch_verify_11: min 37.7us / avg 37.7us / max 37.8us -schnorrsig_batch_verify_14: min 37.4us / avg 37.4us / max 37.5us -schnorrsig_batch_verify_17: min 37.3us / avg 37.3us / max 37.3us -schnorrsig_batch_verify_21: min 37.1us / avg 37.1us / max 37.2us -schnorrsig_batch_verify_26: min 37.0us / avg 37.0us / max 37.0us -schnorrsig_batch_verify_32: min 37.0us / avg 37.0us / max 37.0us -schnorrsig_batch_verify_39: min 36.9us / avg 36.9us / max 36.9us -schnorrsig_batch_verify_47: min 35.2us / avg 35.3us / max 35.3us -schnorrsig_batch_verify_57: min 34.2us / avg 34.2us / max 34.2us -schnorrsig_batch_verify_69: min 33.8us / avg 33.8us / max 33.9us -schnorrsig_batch_verify_83: min 32.6us / avg 32.6us / max 32.7us -schnorrsig_batch_verify_100: min 31.7us / avg 31.7us / max 31.7us -schnorrsig_batch_verify_121: min 31.6us / avg 31.6us / max 31.6us -schnorrsig_batch_verify_146: min 30.5us / avg 30.5us / max 30.5us -schnorrsig_batch_verify_176: min 29.5us / avg 29.5us / max 29.5us -schnorrsig_batch_verify_212: min 28.7us / avg 28.7us / max 28.7us -schnorrsig_batch_verify_255: min 28.0us / avg 28.0us / max 28.0us -schnorrsig_batch_verify_307: min 27.5us / avg 27.5us / max 27.5us -schnorrsig_batch_verify_369: min 27.0us / avg 27.0us / max 27.0us -schnorrsig_batch_verify_443: min 26.6us / avg 26.7us / max 26.7us -schnorrsig_batch_verify_532: min 26.3us / avg 26.3us / max 26.4us -schnorrsig_batch_verify_639: min 26.5us / avg 26.5us / max 26.5us -schnorrsig_batch_verify_767: min 25.8us / avg 25.8us / max 25.8us -schnorrsig_batch_verify_921: min 25.2us / avg 25.2us / max 25.2us -schnorrsig_batch_verify_1106: min 24.7us / avg 24.7us / max 24.7us -schnorrsig_batch_verify_1328: min 24.3us / avg 24.3us / max 24.3us -schnorrsig_batch_verify_1594: min 24.0us / avg 24.0us / max 24.1us -schnorrsig_batch_verify_1913: min 23.7us / avg 23.7us / max 23.8us -schnorrsig_batch_verify_2296: min 23.7us / avg 23.7us / max 23.7us -schnorrsig_batch_verify_2756: min 23.3us / avg 23.3us / max 23.3us -schnorrsig_batch_verify_3308: min 22.9us / avg 23.0us / max 23.0us -schnorrsig_batch_verify_3970: min 23.0us / avg 23.0us / max 23.0us -schnorrsig_batch_verify_4765: min 22.7us / avg 22.7us / max 22.7us -schnorrsig_batch_verify_5719: min 22.3us / avg 22.4us / max 22.4us -schnorrsig_batch_verify_6863: min 22.1us / avg 22.1us / max 22.1us -schnorrsig_batch_verify_8236: min 22.0us / avg 22.0us / max 22.0us -schnorrsig_batch_verify_9884: min 21.7us / avg 21.7us / max 21.7us -schnorrsig_batch_verify_11861: min 21.4us / avg 21.5us / max 21.5us -schnorrsig_batch_verify_14234: min 21.2us / avg 21.2us / max 21.3us -schnorrsig_batch_verify_17081: min 21.1us / avg 21.1us / max 21.1us -schnorrsig_batch_verify_20498: min 20.9us / avg 21.0us / max 21.0us -schnorrsig_batch_verify_24598: min 20.8us / avg 20.9us / max 20.9us -schnorrsig_batch_verify_29518: min 20.7us / avg 20.7us / max 20.8us -schnorrsig_batch_verify_35422: min 20.7us / avg 20.7us / max 20.7us -schnorrsig_batch_verify_42507: min 20.6us / avg 20.6us / max 20.6us -schnorrsig_batch_verify_51009: min 20.5us / avg 20.5us / max 20.6us -schnorrsig_batch_verify_61211: min 20.5us / avg 20.5us / max 20.5us -schnorrsig_batch_verify_73454: min 20.4us / avg 20.4us / max 20.4us -schnorrsig_batch_verify_88145: min 20.4us / avg 20.4us / max 20.4us -schnorrsig_batch_verify_105775: min 20.4us / avg 20.4us / max 20.4us -schnorrsig_batch_verify_126931: min 20.3us / avg 20.4us / max 20.4us -schnorrsig_batch_verify_152318: min 20.3us / avg 20.3us / max 20.3us -schnorrsig_batch_verify_182782: min 20.3us / avg 20.3us / max 20.3us -schnorrsig_batch_verify_219339: min 20.3us / avg 20.3us / max 20.4us -schnorrsig_batch_verify_263207: min 20.3us / avg 20.3us / max 20.4us -schnorrsig_batch_verify_315849: min 20.3us / avg 20.3us / max 20.3us -schnorrsig_batch_verify_379019: min 20.3us / avg 20.3us / max 20.4us -schnorrsig_batch_verify_454823: min 20.3us / avg 20.3us / max 20.4us +schnorrsig_sign: min 24.3us / avg 24.3us / max 24.4us +schnorrsig_verify: min 41.9us / avg 42.0us / max 42.0us +schnorrsig_batch_verify_1: min 50.0us / avg 50.1us / max 50.1us +schnorrsig_batch_verify_2: min 42.1us / avg 42.1us / max 42.1us +schnorrsig_batch_verify_3: min 39.3us / avg 39.3us / max 39.4us +schnorrsig_batch_verify_4: min 38.0us / avg 38.0us / max 38.1us +schnorrsig_batch_verify_5: min 37.2us / avg 37.2us / max 37.2us +schnorrsig_batch_verify_7: min 36.2us / avg 36.2us / max 36.3us +schnorrsig_batch_verify_9: min 35.6us / avg 35.7us / max 35.7us +schnorrsig_batch_verify_11: min 35.3us / avg 35.4us / max 35.4us +schnorrsig_batch_verify_14: min 35.0us / avg 35.0us / max 35.0us +schnorrsig_batch_verify_17: min 34.7us / avg 34.7us / max 34.8us +schnorrsig_batch_verify_21: min 34.5us / avg 34.6us / max 34.6us +schnorrsig_batch_verify_26: min 34.4us / avg 34.4us / max 34.4us +schnorrsig_batch_verify_32: min 34.3us / avg 34.3us / max 34.3us +schnorrsig_batch_verify_39: min 34.2us / avg 34.2us / max 34.2us +schnorrsig_batch_verify_47: min 33.1us / avg 33.1us / max 33.2us +schnorrsig_batch_verify_57: min 32.1us / avg 32.1us / max 32.1us +schnorrsig_batch_verify_69: min 32.0us / avg 32.0us / max 32.0us +schnorrsig_batch_verify_83: min 30.8us / avg 30.8us / max 30.8us +schnorrsig_batch_verify_100: min 29.8us / avg 29.8us / max 29.8us +schnorrsig_batch_verify_121: min 30.0us / avg 30.0us / max 30.0us +schnorrsig_batch_verify_146: min 28.8us / avg 28.8us / max 28.9us +schnorrsig_batch_verify_176: min 27.9us / avg 27.9us / max 27.9us +schnorrsig_batch_verify_212: min 27.1us / avg 27.1us / max 27.1us +schnorrsig_batch_verify_255: min 26.4us / avg 26.4us / max 26.5us +schnorrsig_batch_verify_307: min 25.8us / avg 25.8us / max 25.9us +schnorrsig_batch_verify_369: min 25.4us / avg 25.4us / max 25.4us +schnorrsig_batch_verify_443: min 25.0us / avg 25.0us / max 25.0us +schnorrsig_batch_verify_532: min 24.7us / avg 24.7us / max 24.8us +schnorrsig_batch_verify_639: min 25.2us / avg 25.2us / max 25.2us +schnorrsig_batch_verify_767: min 24.5us / avg 24.5us / max 24.5us +schnorrsig_batch_verify_921: min 23.9us / avg 23.9us / max 23.9us +schnorrsig_batch_verify_1106: min 23.4us / avg 23.4us / max 23.4us +schnorrsig_batch_verify_1328: min 23.0us / avg 23.1us / max 23.1us +schnorrsig_batch_verify_1594: min 22.7us / avg 22.7us / max 22.7us +schnorrsig_batch_verify_1913: min 22.3us / avg 22.4us / max 22.4us +schnorrsig_batch_verify_2296: min 22.4us / avg 22.4us / max 22.5us +schnorrsig_batch_verify_2756: min 22.1us / avg 22.1us / max 22.1us +schnorrsig_batch_verify_3308: min 21.8us / avg 21.8us / max 21.8us +schnorrsig_batch_verify_3970: min 21.9us / avg 21.9us / max 21.9us +schnorrsig_batch_verify_4765: min 21.5us / avg 21.6us / max 21.6us +schnorrsig_batch_verify_5719: min 21.2us / avg 21.2us / max 21.2us +schnorrsig_batch_verify_6863: min 21.0us / avg 21.0us / max 21.0us +schnorrsig_batch_verify_8236: min 21.0us / avg 21.0us / max 21.0us +schnorrsig_batch_verify_9884: min 20.7us / avg 20.7us / max 20.7us +schnorrsig_batch_verify_11861: min 20.5us / avg 20.5us / max 20.5us +schnorrsig_batch_verify_14234: min 20.2us / avg 20.3us / max 20.3us +schnorrsig_batch_verify_17081: min 20.1us / avg 20.1us / max 20.1us +schnorrsig_batch_verify_20498: min 20.0us / avg 20.0us / max 20.0us +schnorrsig_batch_verify_24598: min 19.8us / avg 19.8us / max 19.8us +schnorrsig_batch_verify_29518: min 19.7us / avg 19.7us / max 19.7us +schnorrsig_batch_verify_35422: min 19.6us / avg 19.6us / max 19.6us +schnorrsig_batch_verify_42507: min 19.6us / avg 19.6us / max 19.6us +schnorrsig_batch_verify_51009: min 19.5us / avg 19.5us / max 19.6us +schnorrsig_batch_verify_61211: min 19.5us / avg 19.5us / max 19.5us +schnorrsig_batch_verify_73454: min 19.4us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_88145: min 19.4us / avg 19.5us / max 19.5us +schnorrsig_batch_verify_105775: min 19.4us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_126931: min 19.3us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_152318: min 19.3us / avg 19.3us / max 19.3us +schnorrsig_batch_verify_182782: min 19.3us / avg 19.3us / max 19.3us +schnorrsig_batch_verify_219339: min 19.3us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_263207: min 19.3us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_315849: min 19.3us / avg 19.3us / max 19.4us +schnorrsig_batch_verify_379019: min 19.3us / avg 19.4us / max 19.4us +schnorrsig_batch_verify_454823: min 19.3us / avg 19.3us / max 19.4us diff --git a/doc/speedup-batch/bench_output.txt.log b/doc/speedup-batch/bench_output.txt.log index 02b974b5cc..5621fccb15 100644 --- a/doc/speedup-batch/bench_output.txt.log +++ b/doc/speedup-batch/bench_output.txt.log @@ -1,4 +1,4 @@ -HEAD: 1e850ba7 +HEAD: 2d843581 checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c diff --git a/doc/speedup-batch/speedup-batch.png b/doc/speedup-batch/speedup-batch.png index 488111b6db8583e9bf5fca84607d9233f338c3a9..279be7a8550cc860012970e18de88fe582e24b53 100644 GIT binary patch literal 10251 zcmcI~2{_d6yZ6^H5z!<|gc&6}Qz0UZEfgYq)~v~zZ4xq*NQ8+>$Wlq!v+rBUzC_s# zvI}G1mpR{&{D1%VocCPkT<`U|h8fTIS?=e)KhNi0o_VUNp-fB7N(}%2t*VORO#mQA z006{*iX3do_~a@N0Az}qYC1|pA`xs!OiU!bRRI8oSOpLP0-*{8)Yk)YcE5;K2mphs z!Vu4!V?qD`g#m~dq95_+2Y!BVC~EjSIF6N-RYXKYU0vPA#>UUjFFHCpH#fJcs;arU zd3<~vTw>wkMH~T_(KE52yD&^767Y|R1=U#u0>Wll_VAy!op!Tk`cS_0j+QP%b=jZ1uD=UYFhO)A<5)u+*Wo6-TxS5$*A^;dw zi1IO?Ke=mr3EHKbp%mjZOB0RRE0D$42He=`@?85;6(rTpP(3i`;^!bqq0_op)rfoLaFIHeH-W*qa@$2 z6@};8%325N@P4>-JHLy%>#aYpMXI{9)u`#7wrnhkFW0@4YbHam9PfVcpkIcq|4w}L zh~;QO%Y0X%N^HKbvjSGs(9X4#sIR^augN>jJeLsaYHE|5sflRND(>LT?G^62Ph%Bl zV}>nKpK-=II<6Tys|@<)rP%cMm^sy|&A%9@g+{QMV84C+$#yrmZcrvuqO;HCQD zsTDqba>{xhrE0h9;9jNoOxEBAP6?q>#)j6G_Hj9^dzZ^*WPV(_E8c?N>rrNM3?maK z@Y#Cxp6J|Jw+rfYa()u7Frv+|d%SnysnPmGI*Lj5b+cmtM3qjw##PE%mr=>-`uiNe zjMx(P*}Te557XBr#BDs`T0q9RQe@#`ZCG>dalyg_>ZH4k1wd0leuaEvbH12&w{Pvl z_Z9CcbF;k5(53#1NTcJ+Lv;|AK{k4LD7g+UDZ&sT7@;)XTR}ltpLnGD`2q)p8O$3ke zj^@;yP;{M&zKP+byby5O3RGY9L&rM98D(5-+@;d;r}68M z>Di`BEXp{U#dZk~=N&~E*}I|SD1F4shVwPoUM^CNtVLLC*qawPdH2i9{h)&)85i=f;GHZJK2751!Ey1VFr%q(fd)_uX@N9k4ny_i;Vh(Ls_r=D( zID7UXUm;v|g@crd@utUgNPKSXS1aIam_%YUsx_Bk+CQ?2fCTF&TI zG63>vOTdwt5(=?8O3v);CJHBpr=a=xUx$;oL z9mE_3DvwM2%@zeX<{cF3`V}T{Zk>CxeQ2Z=;rrQ>&9hu61hp^z^sNhr373wuGFuRu+gFN&!~8v=7(Ql*GV05 zP14rY^Lk$ee~;#)B>Vh^T7B9ZWXgQ93V4H(AzE!b!yd48YhUvqs7&^jXlla5qM+cK zifidEBQ)AV??Tc`rl1fjnxw=qS$)L#LKEP1Y5g1e%uk0MSM_!DrqA!^V|Ih{hpMF$ zz~$nfEA$=3NT@hkF;asn83CY6EEcr^dGGEtis92-ry+)Jb^o%ZyHqPC?<5doZa(f$ zdQU|89L~0fkj+93;=3__k+q(-^K&(!e*38e=NtuwRrWI~<_c)-?-ZTC{Qve5pFl_* zS~e8YO9sl&N=csPq9R4+BEySwIW%FoYbbGchjLT!hnOP%r+}kIsX=^#1PdMpEBBa|sWUktC>A=a21iALym2n4DTsgP{DQ z1$&@ia_Eh@M^@~kuL z=Iw^)J0+Jvc0sT?VKH;y2lJEnr!s-I-kbtYmZ?qh!G_!nWW~w1HltB)_|adMZR2vJ zdA#FBv^1a=Q>KEizH_#9RcvTHjtMnu^>~k>n|xTQ4jp;emlMPj#CR+_%u*01i(WV{ zN)wkrD?!0ff3J+8o_)sOxY_sn>ay>W<#%^)FBS`FEd;Y0+&!;{NA`$%VN?n#-km5C z4$_SU@RiTd=A&1FVw+Tp{6`-0OOKp=fi!u;Ud`l@Z;f= z{*8vdi6~(*YDL;ZMws?|Lw3mQ2W)^G4qW?00uK!@?$d#h2IiRrVU@;o>f)3KW2Fhx zsl_#`ZsEoZU?XVi=I27N&+OobGR$QaodcT@(3W)cj0dRL#*-!l@esuF2O56>uoJue z;^?OMCJSh#gJF9up^&ExU?&NeYvMOSuwgby+esiPKeWyI)RyOZ)j-A*zIMxHcThhT}yESdaBBQ(Y7I7<+ z?>7XfX8aXF;MQw14~CazMee=HI)4twKy^ex@OD?79yu@0Kn_c#-SyIs?xFx}nb!%5 zx8)44Vjg;`nY-9zHXzX=peFr!D`lL&@UiNH7=pVLVbnUJ!urGw1aL&p_U5U1MPCqn z;w4`sryCPdt!LW=<5RW_5Ku-!f}i%M(OI#~X)7~hWV+YGdV$ARnyzbKil@HKCI?yW z2_~(ex_p8=X;{az`@^<=@kLd$^hnc^%k^%-5qBO8vtJpVRLgPN)3O?p%`xWjoyp)v z0XlVdKk=GXiIl z&VL}v*Q2LCD*{2!%8JIxz5D-Cz>hfNx|xd$rs<6T#wMUefk!J*qSQoYno1PqISA_6 z3NsbWv25Wp-R>W|7n2)UDJKxjxY9KEH3FS_ad4?aPAa)V`bIS^H?_{dktqxp3dRdl zI$slPEHm&m?H32hCxpiO>j-{vO{OBA0CLLS6!8rh>>CViB3x9RAGimDZvuSf{HY9bmLYBz-auh=%h zkKM@OK-^gV!&#bpHxVC8%)q@DedS;)G~g-!>|i+FwU4pvhM_1)iMCxb_2NLO+3I^C z9vwn{qEaI`O{c0y`KZk598~=B48h%rdm8)u`+J8c26Av?hWZiU5ogzPkcXS)RtBPr z156Nq8X=eI8B~l3{Asy~PxO)0H5sFqce!!;Ipz|K%t|s>46_X@VHc6OP5MG{kR{FK zInLf5Qc7U1cYW+JgM9X;yjCo3R_d1+W6(okyRtG0WTFTXSGPpQD|17ILkf0R&yd4q z1LpQ5k+0k3i3z1)dgMdz=tom~@HKmL9}lHhGfBj^s4*0FhhtygmklaX1nE4T6|^(Q z28j}p9Q)kGCa8>6oXuPtni`Z-wt9Z)l!20(VQ1*n#qZ|q#=AkM1<5l6hi)O1OT^#v zb-OWdC$ORwuxzL*b^{B7$5MEN_i~nZPMmhI&Rkn~D_H9vfMj zBG-4+n97(#4Yser*_UuFgg2gKh66WFtq^wku>WG`>Vj^4zO#&CL{kT7* zn04=CjNmKmp7#|ZVVRoq#`b|n&720&Om;)eP>_7?RU6+W@GWFs@l)@{cnpC-iepVD zG6ltvWtMpcn*;;}eEt~o47#Me&LbVajMK3J6j43e>Ne1&A|n2%8;%Rl=Xqr|g*z9L ztsL$oR3LN6&c(@64PlhhomMh6cZr7IhZrKR9m7aa-A`>0O?H(PqE1rqRUP_dM%e6 zR<7|8*1{MEsCY3Cn8d)Od2s?F&pxNxOfD-wWg$_zyemjvGp#cvb}?)4&Q``Bf14TV zt?^#yC<|?Z$(hG=Y7@5A8^3dY;zNs-%F)mHB+s(|7H4OYIk@{v)i^JV?uU`!j=qKI zdl)h(8R{#QJHIuus6EIH(826Tel$`~m!Y$Qr@lRV6M(S<@X?M=2fG`b0d^3FWCZe7 zyH167cGtfmJ&U@ulA}ejXy~6cN7G&G-=59cPfS`c;XK@E zb>C&5(+q=blA#UtU;C?IVh8;EG0qH`3Y6T-*Ar2gKiL5m-1@_B2N5S0gjXlt>mH4F zY6G>qxs2?QT7CVG!WSsXPz;B`iK^#-DX-|WZyitn=6xS~?pea;;;pymCEk)pg7{7K z^fVPOEbHqB*k2z5vTy50Eg=(gA%`IigVZ3Cvgwc}BI>z)3Ao#rr%Uf^Jmq8p;O7nX z`n9@#TQb_tB%yEQ#0%Y2u}C36dK9F%jRwSG%gh~9gOj@# zvtW(C+Jn;)VyMU3_C_z;4@@3ywiJ+W;Xu^c4JNoc8}saj$3wZNK@kqbd!QvVbuU3l zl}`ZBcxNu{`+}|!g5l+x5fpH0A)NWAp_kM7`XNW9qF0X|s+`ZWOt{pUaU@$7@JSR3 zi=EPUA}hMMdm^cZ-hug#3ggGQMXZI^rnJls((^d0I=4cNtvze^sUjU9=!B)j3`2*O z9q7&&M^oO@?a%FlOYl5CPr2@Or}5>0?kin6beZ2DSinI>Oz?_~wIo6_*6GV1<0@9jZgC;`_dbX>5p`^1%6P^!NvBg5 ztL8qd?}HL1)WHaR{^qHMf4Iw>(T>8H4HB_|B@U2P;%&X``n)8&R4IqaJCStgbPpzRC zCjW2o<=@fZA-h zhI&oJr^p1J8D}xWN@n|ltDKDe)HVCQT~5vVttP^~Q5+ndi<2dhhL_)6&fXHS1(ghbBV1>l7fkpHaYI| zWSd^896mhknB$^htk*xAD1n?`IQq4Bko_Rw-~YdYCP3gj))0X4#T%*XC6ea?h)YXh zCE(%y$9X0=dA8kcn zJvY7RmudQ+o>$spa)fYq*I6Ch%`XBqfhIiVLa<_8(vk9vTUiV6=*S`kvOSA?R5wR# zzJ=^hf2GYeGMauSiG1PtfC=w_37i+UFmuXs2fjsps0Kx;Fi=-MWlz=xH+e+ys-9QI znP{AXc zuUiaMxRKJYbg`UzBacmZ-!QAFx+gqQ?6^q*g-lSG@EX%)2iLhVE#=Mc&rUbQWuiln z`w@4ij$D|bqFIixA|BuqOQ`1s-r7j{JfYPprc_72V@K``6~$54=w7{m#L=yu^9}d8 zZ8s@u%E=IV+QO?sOM*#7Zq5Je-FRV!39{h`9gjh}?4<|e^1m!traDY`cNQ` zc0kNMXy0EiHi_X$IWkzrLN$X&`3bf^vr3?Lu+UV;L-&E~)_x`}MTLZsd7Y0Tj7d6O z^j=EMjOFj&9XLWFJ}DGdQK;KR-?Nv^vQp&bPOev_uQ+v*nq&Cs(6or3NQQT)Dyg-e zdu~H7zpw_JvQQH4cIiK>@+%qcstf}Owv?Pf<)XoTK!>YWT&o8 z+rmUIVY$rRSQ1bSv}4t0=_N!O$comK1ny_EQ2pZ7KMC5u?*ORz_wwIi`Hhq%_Z-)^LS3bc!5Rw~-ZVc+tx_kTSUWTjuaE0uA!Hq- zA-h$RUylSDki5lyIzPvPCT4+8i-SPtH)=7H^s-x08L8qv1~-CyuOFQiY5JX1sx4UihPH@R z!X|N%g5+~Zf(~UArj=<;3{+GU=JjHWyO^B#H?PZlUiteFyD%CnhfN|y)QQ@TAy~#* zeZ<2lozpfP!xk`+ifFr_4}oC#@TX2u!NQrsxs+fcwcp}? z$G&Kpdgqk8yZcRFJB;8POkx?W$X^}rQ7}D|adATV$ z{p0^^{TD6#w`%gf^u^8uN1bPTmVrtI+IMo2Iq1gz4Gzhc-zPRW(eqn>>hmPcI}Sn$ z3;iD_N}ql!iQ@krFEN3L+SgqkPZ*>)>3>ka+V`dZ%L;AKzb*;>tCAqX=1;-*A7nA~ zrS>2U-se`Qy06t2zXR!?y;$x5^yCVH>R@_;4|D!&mqm34e%O^^$|Ue)Vi@1?!ou~K z4!WEHz0ohu_X!rw%t!N{>RTW=zl0<1QzKPEGn!EEB~dpWOpdU+;oz<$OyzN0#qQw# z|7yWFESVJmj@%}F7l3qa@;}tb|EkFN|7;|mxNU!q^!MFyEjy+XFCWled|hyPNVL?_)1AF!_ABbN1hw z<38R)zhu19cK@3C_SRnQ`G4FxkrsI`<+-!E4Bq8G$e|fqHQCw_5h6+xqi&SSaf}g& z>d1tVlJ-U2O`G+#uw_H0`X8-5a9*7Mz|=;nPp;8>6qACW5$8%-+cBBm$&H!Pl||cI zd)|A<1W*4f_3YITBOL0)i^Qm{E~w6*505^E331g7xH7AX&yj8MF6>-7Z=XPk;H#wx zSeqp*YcaIdC7{m&5x0vvYfSd;%Y0JwJ-BKesTpMR+u+OM@lY3b`YMYRpI1HVv);%J z8)j5B4_Tk}9X5}5M;>E0;{5i0_LlKLAhNA={SAd)*}J2U@1LXZ8I$&cOT76Ow?uib z5-tAtsc1!mw+2MOw4Fk}Y;uR_?F#uQQb~Atj37JwL|~^wuzd2|!Z(3P4IZ>z9}dyK zLYAPQOqD5S$#EE?WC`pU%~xia)RX~_C+sVuET zB`uM`wCv-#g%*K0Ot-)bRMGm5@2~+!+ZWe6v3_&dPKHS{t_SP!kyXL^qF7j#A|$qq zxl+?$WoSThMO5!{ffvE?2)yhg*XN0sYKVFPT-BxdZ_Z+5|M|kYYF^8l;8b*Gdu`>Z zwbg8`9e|9ZIBNO5VThkOeASs&G`Mb=ysHJ8>=Tw32`D}q$+`uh0Jql}c z--33q+XwA{RI;Mp-EVW+%@Diaj$PdD$c)PQ75M2@zphtoz*`-4yY*8>h-iFqj3?F2 zD6cMpow{C>XO#W#^lT|z(^Bz1mzS$X{e`aHry6sd+C=BVUru}e^c>KgoP#wK=-a-` z7d1J#wrrD}J4c&wT*$qpcVIwcC^q@(lY)|#{@3?fjSMf}`h4-{$*D`!ODeSJN;PXy1={n}6%=G_M)b0H= z?b)Gf+ke^!erpO^=rqrvZu#C4yy>2_w@FokI~3Vh7a7t5Z}Yrg+M#2uu{s47F|i>% zaoKp^C+vN5^ScEB-c7aOH%qSG#d8=Id6f#_Qk{E#@mp&lJV)QIW(O?hni!Sa-F1J~ zt#G0k!lDx*)3b1&iOf>)Gg+yAzSPeg)a-H3Cpq&azIphRfiTb9(d-AO-m5u>D&y9U z7oO(GS9h0sm-fl&nW%^`O;WVDSf0yF>~#O{uiBuP3MV`&kAY(L4K+(NY{}pu!=X+- zx|s|?yC3l7YF!tk(#C9%PLu5GJ@4Stg$aB^G&MRN{a=i*V+GIOuD*pTcili-{qb|E zr%O|@0>Tn@TFDci<>mk5o_1Fmo#dmHp=vnI*w+(dHnwdhhUIX%;69Cnp>RYds(FRh zulv#H_6e)I0(mGG3Nopw*6E*{F6p0!sB6N0zDhCGKe-&#zn-&XP1iA>pDbn8 z)r_7kc50XZxFty$-A65eI}_W;>IQ?U=_9NsYE{=L+KsT!Y_osooFCPgx-S)C-B;cB zB-h~U2`>BC)YMcdX#P*yjBp`$h*2E8%|hK#9olheD<9?5;u3SrHoNM`RvIKJ;(KUD)ZPptvpqW_8|CnR zh{no+tXmGnR>T5zL#LaG+lmLDUZ*b!|b9!yRZ^mx$*MwcaW#OZxeEc4;X aYF~g~YEO-3Jd+SXYExCxP|TD!fAk*`89iPA literal 10359 zcma)C2|QHq*T05IhL~!yWE+wtvSybVOGO)!Es2DZ>{~LJp%7t83Rz2(HT%9KdqjjV z6J?1owipwd_YU&w_y7Fg&-?mV=05j6=RD6j=Q-zlzSn*I^QZQ}4#EHc*rThXeE|UI zkpKWO-AxaU zbRCu|ZG{a705le$VyOYtPcM%g0jHuzy1;n{4<3}0lRJ0roSmIrKtMoTTwGycVO?Ea zdwcu%_&BIyURD-Q!smRRm^Ydqp;Af2Kx)a`JQ9i84}jVL8}N64V7Q=UxXI>qI2V@- zxD){B2>CD#(3VIAK76DiqNxG;^H?nP1n>*%HudDr{KSLmQirl&=H+EV3KmIy36KIw zkAWUy3K6f5Hgb@{A^~+%-Pc0F?k#KaEDJ%%od6l=K4?% zC+NuoPt=xoei*Tg-AKf1!@Y;7NiW!_vgFwpygx!fF8fZ!JfNiya54E=P@$090DxYw$CJv4i! zRTt$OrhCOnTiy@Fnjb$-oX^+8w7*z8JYDPRfJ#8L%y2|gUg{%TzlNClzmz!R;BIp8 z<(h+qNrzR2kBL#ayb+mPX%>^6b+}YgabYl`Js8x-&zzPWo(_bk7w2k*wU^3MJ_R(7 z>w7!ga852(-nBTSCS}6bL)OCmiIVkrMsP1F-p5C8& z&cwVC;^5_S6xqM%YabW+)aR(#oTxQO9Oi1px<0aZK9?Isu_dNBt$qr)ehFFa*OzW? zup#KPlJ2=It@lC-zcQrtEy%U6TFqg&Y~M|FdyzvW1N9!ou|r>_7+^y3zXYC4een{1 zF@>6Jk|#bpqBtAUq<87pvd?P$oAoqwa9{BK$TiLV2T`+BeexdG70_NOHx#X-s}@U- z{emp0z95tiHH0*NCpxH(Do9m#a~Sze-;|MBtJeZuX^wO6-7^;sL&v`;0c@LBJ@jqB16^~!g z%PhEGI;3N1Vb)g~4$+OwMaRGOA8#^yZ;pTVOku5fX^!2dX5AOZIXyYl@*wNsLQgHU zd+@uXYzfi=-22Rz`3Ou!@4;Qz8uaPttD!MR-my329WJ3dIIbC8t@vhE3$ty+uy*@h zt-+LjAXlEd?hYeI+)?SI7=rfvGJ#<&$V69gHQ{eN^HlbCYJ}COW8{0yN(*y_@_J7h zfPq1_jw_(_#EK zKPmhdb!Yb)4hJKg$J(pl2FB5@YJVx?@hG-~CXwmKtv}yVXiv!$A9@_u>L!=SiyO{3 z-rK-?NHjD1mNCxGT;Iq}X++w5A&laRe=aFv87qb26IlrGuy7cqNGLdvxtEiFi-9T} z-2HiM&f!>2DThtD!jqf3s#my2F)inO2el6O7@i~eXS*ppgjg}5QaMYROl+I)LxAj* znaCmw9>i{ZDvD|BTMGKW=Le+Y?+x=+M;Rr`9;_u43aNvL!hxEFywOqT@VBkb-S{d< zT5~4qH_8B+T81}9oGVXX)20j;r1Tz2FAFwpc))Cb;^Sk73In8SilGGZu)>2#eI)X@ zb(}g6L}pa;lEJa@cqcImC?Pq-bU~|qTLw3@fWG@Ya5>2|gDnI-$b@xpA82hn9m>Vg z9rj$T--BP=QfW|xq`ud>>0Z(E8*TDLLFnSRq8a%<-U~AF{IZ{0{yy6Lha(?rl5w%F z0y(1bZs*AUlzN}wZ%(%V$T3Bhc9@3~oosbf>0Idc#W`aFi}nNg`_($xhS? zU+$?k^lwkC^Ko?4)i!`ie(suWav)pUO8nl8$uLg7<~@kOtlQN)O+#{#Di2wshYZpw^ShHK}z^ zwRS{lN_wkUf97QlCPjNAR=q@P_NUs7K6R+z7X=qXKmyesqpTWQhh zeR6qG+{MRG&bME#-~91>V`CV#eA&20sI0cP`RLf*Hmz3!tK;#cxy7lL(>ItGdwDsc zo_apu*SEsyV?;DNnxy(Y0`SbdKTXFY_ntZ0`E`HynO&1XeiZ`X=2MtpLJWVLPV%O_ zCR?S9D1N)U;~r~V!b}ZIS|ZTJK%WKQ{0rR|xO1CKtU5w+K>vx6O(V}T0HIu<^|7%# z-b!?8=7P&frX4t8m^;Ncc5p3MbTvXrV3whdV)dPLhvsN?QT+1GBTnNPNmh#!HORk% z6}kC%XfYosJAn;mbA0D!{xfgJ?F;b=>W1NC>Ma~LnT|f|I4$%f^pU=QJpVqY$ld$y zr*^eJVdM4!?WG9@b739afeqZA5;LNOZ~LZ+$2G;dKNtNT8AGnSz$XA1twAOLF1M{P znUr+CL+`0xmxuedl64P7m{5Co`+TKO*R@}GF_q)oE=N9>bJwef<)c}MvokVDY52WL z%*&(SO-B4{BcR^`#IIa?3^^0>O?B^01%HYzsWZx0RrmMabKdw=bdvw*)f@X@M~^&Y zgK5Wi>P4z--6@5Xk8<6sW#!8$xnC;K#|&NUN%(c6IN3@9&p}L{$WKLUE>v^19^3*W>$Ox9dc`~bu4Xta?NI-%^~GpHaw)e+E9&_atE?D2#OJK$(T+~; zE453D*GVVwA(PWeO_1_R-Cx%(NQK-%OIS_hCuJ1dWIK{cHGF+Fe4R3 zSj*BawtyB0TZ*RMX!}A3?G6YNu&A5f$1@K9rfn_I*Jybtn|3s*F1@Cn*Spf>M zcXoq*1{6f$8rw3Sy5vd1nJAZz5qY*pP=xAn;Mdp1JvS4_urn%T) z-{wcm{ygC3&V2Xq_2*L)+h<9+KSH^s6ZWav5x7n!el=;-XUX@6B9__~wu(6hr ztcA%NwYsGNthy%kJ<9KR@~&&vcvZQ@;lU&0OF)B$MpA|pJmKbZiLLXsbEJD_m1xxl z%pu^Z=Pvtp=*YHl*(#yTLK084dOEgi$l@Dr=)MEs!Hf;$UTfF|S}HvSZ5^}~0N_on z>{r_dQ*GuXP8$k7@TJb_%PTOQfO+aKgC@{zN6;`KgC(P;wG$2M0DZ>St|&;00zQOJ z+P1rXfAs6qcpJ4C{nx2~0WL!dT*kar=;5H8_icrxbSlzZZ}<_REVf49ldAXpncERT ztdg}6UQax+y(Mt#pBLI>xl;}m0KRWqPRDLs%VJd#WPZbe2$eozWX-HWf+eunQ7Ta6e7bI&ZpzFj80NrCbS_f>dfc73ML)QVSgpGnT#zm<1? zPk@0NtM;DR@Y9<3c79(}RD@~AX3nEv2{$2ij0Il5uNGGC=`x4|-~vXznfJ{IfmOnK zu|N3PyS3;vb_$i@%&&niAJe+BN882?2MRn1HqS!q zoXVQW4U741-2t;Hq0_)6kc`#d-bEzHlm)fJ8c;|4Fy2nWz;&y{)1?zbqmQ5KZtu=qdwE}Q%(y=cyb_PfQQ*R;N%aYd~*81!EUp{yB zp8hy-*!#p)QCelxB}Ms*mYW|NKTWC_@OWI@;d<`Q`Ut~*=&h;T(vAYb_1?}dTr2j3 zKJt=_6Yr_blDo$zfHg1J7j2k3?&NJb`vseVJ`aIDe{pnhpqvmfT6fhd^d;cL$K@k{cBp*t5(Dqf z5oz_rEJuv8|EZ-tiI#T=LL!~c|F?$;(){O9oi zeovRAHTrnBJ&KV*4XjB}Hy<5UoF!wgtK+6c-7Bu{;+4vjC@j5GuG0kZsX~e17~CL8_Qh<;cnDK_ZwSPvd*eh@ z|1qH$v#^oaQyyj9&GJxdWA$CXbfeam&c_C|ym^jpAUJeA7BAnR_XzA{j6;MD-6`q} zB57_PvzT#F{3L|;J9?(PXU1zW-(bl)%7nYF5?9rIl=rm$D4d5wTB*^&;SyFMChDxUshIECI& z7lF`ec%1#C>}qJE?eyJs9kLx5=1x~U3Hr#(`bZ8JTKdXm3pT6;3!RIfKC*VJn6o}{ zK7tP-4t0Uu%2p{Ihf_YxHVKfbX?l6U2*?V=^&0Ia_S$f%h=z}$ahHRPyyeZd5+sK5 zyJs)OX;-}4VRA)fyu?;%t>J;X9oV{N6plu4T3ZBq(x$MU6&BM+KD8oRoZAZVHUYPp ziR!z)I|H=7BhjYW1k^^SB6$F?7VMWx_(rIn7j;r3b$3 zzjL2!_`ZJOH`)$jE3;t^js`I$gWkHkH-#zqm#3>XMh@@o#7SWP5F!K33=i&SYpp1dMHpX=?iu~>{!c+x8lfUp@o+#!; z=o=4n&(}w)QE+Ry3YAgXhPh*sS$7%-s-m0Gwet_^XF-r}+iIM6Rdyf{;q6eOHqH)u zo+JH|rUgW)GjkTOzkf!*J!F7HjZJ`fw}Cm>6o3{0 zFb1p8V!&(Zci8qLU>K4Rsx<*rCq~|fP~hPOQf0>4?yZkMON|Lbzz&Q?s78KIvpkzS zb-r|zg@$r%^4Fw9s#4K)QHB@I?3|ZLg8wvl*3C<_^fyo|7rq0%!+7(;Rx&jSE8j(3 z0$cSyBAU*y$#VQ(OI?+2d=hi-siG_iZCwb9t0QpZTI% zxnUCAVRPEA2I$8`@%-)_o=2dFEYY}48YLzP`;p&}KH zzF=DD&+HbUrpT_d1COF-Rx=IH1w(v_JI^M!>sGMECzr}udK9qb@ndoXIv4AYE&Uva zalyV#Nju5O-tF@N%7l!3LtUmk$h3rfZ#sC8O`4Ie6<@p*^^!Rqwx~uv@Q-v5eD$&> zjY*d8Y22n+#Jtq<+^(II^nQC$a72h~`EtcKe`PrJY2=ylHZW+|9m3{u__?jB7_?pl zp^T`r{Sz}^#;;$wu|`rqusLKe0;en6$BO~+ZYcdl#?`GntllESNU!J@1x!$65n&1==ws{ddTr)DS{0y0nEl6Z5mXXFSzS;YBu+ZOnav5{cD2TART zc-Rs{_-#YZexyn~4j#wTfe_se8q`-x&XsUEtYS(BRw3DIW}xws!h8k$j#dlwWlKmm z{Brd6eE?^KDF!O*Xp%@m-sSZ7P@y+*SogiP&*vF6%!C+nb!%fcxA{I(x)1T55oTHV zJ+0^6S!)FR?pAldoq74iBsf?RgQsNJTc%x0$-32PN(~U*y_og48|prx-$(u3jbu;i zO2`1u>w@*<;+$j;hFOCoK!tL$(H0{G7NYPY?`Mv>NcI(>v;B?>52vHoc1S7E>ORIC z=WvhTlN;mNbu>JZgSERMNLGS-_cI8S+PIf`LqSx(kkG>ez{8QG=r2`IlA`_B&n{R!O0sJ<;RP>Q+YjHAt~ve4lM%*|LLYtq zAVTL+wyJ*F--)V*g#HTI2^Pbd)e8E1%ph6@G59nqLUJ?zdfa70NdBQ7(p5i3hJbhe zz8)GEccSkyum_u;k`*lp9#Mvo{kAcRTG>_mRP{N-wpmld86^-<%WS%FwC@EV(M2p) zX)ZSfFvz?%wY+C>I!SY??3(Q~dT`@ivmv7MQGg~b@a0Hy9-*66IRK4o5bWRV*=*kG zlCX^SBFNpj+IqaBP6ZC{GbI8oH+F$pcu;HA7@5&hn=*AicU0J2H7_$$vXGc@Z7&M7kfY1x6U z33;EBsk)04^P?^Nj5s9-Axtr7HqIK5cRnqeJWDxiR&Tm+LB#`Dl{!vMaL>Yll|R zz_K}v`wTrHoqb1o&LI%2XWg=vrPh+ALpOy(Z9+w!U?d$!CJBU{wW<|VpB*| zckp%2<^wJKl>1w{tec{`{d2?Wgf>L~40WGRIdmBbh=M>xsm2%zV-VG9SJG0=-4JnB z&?(z6-P9p7$}*b`|3J8fcUjBdTD4(-I2`yeE+266>&(Ma4>w7_!&UqYr*OdGnHQW6 z)+4;(M+rBl z5l#n<1Kt2HK)ST!ftG|k4IzQy1cAzG(aKlpsDKB^C8Q#D86#Dmz|vk)e4_7ctcmn1 zTw$t>)bb8pwtwb|E?lF%QK7{$nC(n`E4kvUrc&#=Q*Vb#F*1~Q6wo>t+Fg)Fs6huS z9v8aRuV&2(a6d9hQK|D3u){!OgS5ZVfL17%B^^v?-zIN)N->n~!0O@2$z2A>k*7$z zb+&1kjeFrK+Uu6B^4MusZRl-Y2%_b!5sw=VNJ?kba z7IMGupJ?L!xO;+k#6-Z3P*{yNmKVQAYi~A*dXfh2a{cDVN+{17fMUrvN8_;k!LhDv z!KP1Lwp9Cq&C=#a5A8#omN-iqMYcnM{#oC4(%fP5QjarVy})__x6(j??%R5AM3Yt| z0(LiPG^RME+pY6$ ziywy>CP0>Elt%nCvx&Yz|CMZ3?|=X-tSi9>1YTIw$q${L-|2gr^aBHCX06+q*aSq<}JjmJM52hi+GxN z#zF{NQ)Fr&_FC_+f=1%rAy;U3cHleh@cyNA2bI$Z@qgu+|Lc9tANc=olKX%2Fv!>b z+a{Q}wIDw7?+E)ZXOohHAi6DJU~!c9Y}mgNhiQ4QJ>R1j3mIwlDZ9R}CTt}l0DX1g z;ETWeOE4GT<W!uwQKI;!LkS)4qF$hpFJTtpCNhZ_vxM*W|tXZbPeuodyn!lf#3K z&4tgrR|WdQEs%4`-Oa=HzukWwN+TjI$4UO(L#1U-9vFj~f$Hi}%mj4NO>Tt|HilGG zsSzEX=@Z2dz~39~t|sl*(pgdd{aeg$J#hk+fzlk@vuH%x-4|`6TJtu?09mMeC*0?( z4RHB!(2=pPUO(80PG2gs*lR~QfDuksL`8LFUPy6Xvs@V*XzfbA`EB#XNQ(OQn_bs$ z=Oa;=r~ToB!q+ptCfD)L=`vx+ZNhKr#UItN&kao1y{(#b+QVxuuwqbj^uzggPrv7p z6ByX5o-<`HoECc1>bt1oqEsk1&i2jUS#S4#drb7s?W85@Tq{$;ho5C@GOJW9f8_ib zIdam|I*z>C5P`glkgRIhG#2Q2pB4F*%7{@tHN!ITWoh5)w*z{}v6$0V#U@vImH4zm z_)UIN>Aqj*O0FmPUV&IvePg;?b%7~+5svq9qT}az@aHB_G7d4+WmI zODdi1meHj~=>D=uFR3JAdwS;ezIOOtf(%!6Gci+g^ zLqw5G%n9)l2fLvQ4lP+mj?2T8MdHF}m735|Jj~X(oWC8?Dkq0}oolMzocpSOtj|ie z@(BHR_XvLqNhr}R=OFf(x#hY_qXfQU&@QJx_hm0R=J&N1U*{?w(OVt0wJ4KsI-oOQ zoLj*ac=1G%yu+nLqkHD#KaOM(Psf=24idg>N9-oOAUFmWWLwCcTXL`;JW$N#ZR8`T z?KW#PdeuLa==ZcmxK_~o~XADQ1U(Q)4} z<|u7yXHIK#Op3XeLj*E>t`Ybb)x>XoO+RR4cyYGg(>6Y8v6Ved?4{jDFVl+(A1gAQ zuI;y-dY*2fdn(bv`9`&K>VCptv9I)=2v$c*V|8BAD?2}zuO-mY>+(SMOS7!Ag@d31 zj{}Con1-AO9Y2Qhy8Qj-o)rH+#4*jB#{0V1A#Hid%MxkZ|EAfbEgMa!_nX#Ye&;<@ zqSEtu5}x-6#JhBp2#n z39^IV38i*3{)UORrNJzxy>$YI&T+>~=dXS8J;lBEnoow5{1Uu5{4>*xKi=Ce*2XW{ ziEci`3u7dK2=(pBz9Q@pH)FI|$Wgn<>X1Eq@>hpL`E@MmWRLE2*w?ZY!_REOJ`eXS#V@Hh&hxrf)jV}hk8X|sd@T5`SsUliJltV4a1>YQ5yK{=u ziI&ECCNr;{`ZTkCsW5^QO^^!Q?+?1e-^7=o!`h>w39QdiP}!NrOqfG(OxMzNsVDZk z9QaqPm(B6n_L&mzy*NHy?k`m@>VjSN^e2SNm&mj0^i1|c%6m7Qz-bWf$w=5mC%rxw zf^~(PZQ&?#*&|e*FOf6Yv~g(jA5jAO!ZVrTvngwq^3#;FibYrMMg^^cW()bWQ7J( XfuTK=V}}Gk(Z+O7oY&6Pvrandomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4); - secp256k1_scalar_split_128(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], &ecmult_context->randomizer_cache[1]); + secp256k1_scalar_split_128_randomizer(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], &ecmult_context->randomizer_cache[1]); } /* R */ @@ -368,7 +368,7 @@ static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned secp256k1_scalar term; if (i % 2 == 1) { secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2); - secp256k1_scalar_split_128(&randomizer_cache[0], &randomizer_cache[1], &randomizer_cache[1]); + secp256k1_scalar_split_128_randomizer(&randomizer_cache[0], &randomizer_cache[1], &randomizer_cache[1]); } secp256k1_scalar_set_b32(&term, &sig[i][32], &overflow); diff --git a/src/scalar.h b/src/scalar.h index 4b13bd7bea..cceccb662a 100644 --- a/src/scalar.h +++ b/src/scalar.h @@ -105,4 +105,7 @@ static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a /** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */ static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx); +/* Splits to a scalar into two scalars in [-2^127, 2^127-1] */ +static void secp256k1_scalar_split_128_randomizer(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k); + #endif /* SECP256K1_SCALAR_H */ diff --git a/src/scalar_impl.h b/src/scalar_impl.h index e124474773..070da0af16 100644 --- a/src/scalar_impl.h +++ b/src/scalar_impl.h @@ -294,4 +294,13 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con #endif /* VERIFY */ #endif /* !defined(EXHAUSTIVE_TEST_ORDER) */ +static void secp256k1_scalar_split_128_randomizer(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) { + /* 2^127 */ + secp256k1_scalar t = SECP256K1_SCALAR_CONST(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x80000000, 0x00000000, 0x00000000, 0x00000000); + secp256k1_scalar_negate(&t, &t); + secp256k1_scalar_split_128(r1, r2, k); + secp256k1_scalar_add(r1, r1, &t); + secp256k1_scalar_add(r2, r2, &t); +} + #endif /* SECP256K1_SCALAR_IMPL_H */