UltrafastSecp256k1/docs/batch__verify_8hpp_source.html

#ifndef SECP256K1_BATCH_VERIFY_HPP

#define SECP256K1_BATCH_VERIFY_HPP

#pragma once


// ============================================================================

// Batch Verification for ECDSA and Schnorr (BIP-340) on secp256k1

// ============================================================================

// Verifies N signatures in one multi-scalar multiplication, yielding

// ~2-3x speedup over N individual verifications for large batches.

//

// Method (Schnorr):

//   For signatures (R_i, s_i) on messages m_i with pubkeys P_i:

//   Pick random weights a_i, verify:

//     sum(a_i * s_i) * G  ==  sum(a_i * R_i) + sum(a_i * e_i * P_i)

//

// Method (ECDSA):

//   For signatures (r_i, s_i) on messages z_i with pubkeys Q_i:

//   Pick random weights a_i, w_i = s_i^{-1}, verify:

//     sum(a_i * z_i * w_i) * G + sum(a_i * r_i * w_i * Q_i) has x == r_i

//   (ECDSA batch is less efficient than Schnorr batch due to the structure)

//

// If batch verification fails, falls back to individual verification to

// identify the invalid signature(s).

// ============================================================================


#include <array>

#include <cstddef>

#include <cstdint>

#include <vector>

#include "secp256k1/ecdsa.hpp"

#include "secp256k1/schnorr.hpp"


namespace secp256k1 {


// -- Schnorr Batch Verification -----------------------------------------------


struct SchnorrBatchEntry {

    std::array<std::uint8_t, 32> pubkey_x;  // X-only public key

    std::array<std::uint8_t, 32> message;   // 32-byte message

    SchnorrSignature signature;              // (r, s)

};


struct SchnorrBatchCachedEntry {

    const SchnorrXonlyPubkey* pubkey;        // Parsed x-only pubkey; must outlive the batch call

    std::array<std::uint8_t, 32> message;    // 32-byte message

    SchnorrSignature signature;              // (r, s)

};


// Verify a batch of Schnorr signatures.

// Returns true if ALL signatures are valid.

// Uses random linear combination for efficiency.

//

// Performance: ~2-3x faster than N individual schnorr_verify() calls.

bool schnorr_batch_verify(const SchnorrBatchEntry* entries, std::size_t n);

bool schnorr_batch_verify(const std::vector<SchnorrBatchEntry>& entries);

bool schnorr_batch_verify(const SchnorrBatchCachedEntry* entries, std::size_t n);

bool schnorr_batch_verify(const std::vector<SchnorrBatchCachedEntry>& entries);


// -- ECDSA Batch Verification -------------------------------------------------


struct ECDSABatchEntry {

    std::array<std::uint8_t, 32> msg_hash;  // 32-byte message hash

    fast::Point public_key;                  // Full public key point

    ECDSASignature signature;                // (r, s)

};


// Verify a batch of ECDSA signatures.

// Returns true if ALL signatures are valid.

//

// NOTE: ECDSA batch verification is less efficient than Schnorr due to

// requiring per-signature modular inversions. Speedup is ~1.5-2x.

bool ecdsa_batch_verify(const ECDSABatchEntry* entries, std::size_t n);

bool ecdsa_batch_verify(const std::vector<ECDSABatchEntry>& entries);


// -- Identify Invalid Signatures ----------------------------------------------


// After a batch fails, identify which signature(s) are invalid.

// Returns indices of invalid entries.

std::vector<std::size_t> schnorr_batch_identify_invalid(

    const SchnorrBatchEntry* entries, std::size_t n);


std::vector<std::size_t> schnorr_batch_identify_invalid(

    const SchnorrBatchCachedEntry* entries, std::size_t n);


std::vector<std::size_t> ecdsa_batch_identify_invalid(

    const ECDSABatchEntry* entries, std::size_t n);


} // namespace secp256k1


#endif // SECP256K1_BATCH_VERIFY_HPP

secp256k1::fast::Point
Definition point.hpp:83

ecdsa.hpp

secp256k1
Definition adaptor.hpp:30

secp256k1::schnorr_batch_verify
bool schnorr_batch_verify(const SchnorrBatchEntry *entries, std::size_t n)

secp256k1::schnorr_batch_identify_invalid
std::vector< std::size_t > schnorr_batch_identify_invalid(const SchnorrBatchEntry *entries, std::size_t n)

secp256k1::ecdsa_batch_verify
bool ecdsa_batch_verify(const ECDSABatchEntry *entries, std::size_t n)

secp256k1::ecdsa_batch_identify_invalid
std::vector< std::size_t > ecdsa_batch_identify_invalid(const ECDSABatchEntry *entries, std::size_t n)

schnorr.hpp

secp256k1::ECDSABatchEntry
Definition batch_verify.hpp:61

secp256k1::ECDSABatchEntry::public_key
fast::Point public_key
Definition batch_verify.hpp:63

secp256k1::ECDSABatchEntry::msg_hash
std::array< std::uint8_t, 32 > msg_hash
Definition batch_verify.hpp:62

secp256k1::ECDSABatchEntry::signature
ECDSASignature signature
Definition batch_verify.hpp:64

secp256k1::ECDSASignature
Definition ecdsa.hpp:28

secp256k1::SchnorrBatchCachedEntry
Definition batch_verify.hpp:43

secp256k1::SchnorrBatchCachedEntry::message
std::array< std::uint8_t, 32 > message
Definition batch_verify.hpp:45

secp256k1::SchnorrBatchCachedEntry::signature
SchnorrSignature signature
Definition batch_verify.hpp:46

secp256k1::SchnorrBatchCachedEntry::pubkey
const SchnorrXonlyPubkey * pubkey
Definition batch_verify.hpp:44

secp256k1::SchnorrBatchEntry
Definition batch_verify.hpp:37

secp256k1::SchnorrBatchEntry::message
std::array< std::uint8_t, 32 > message
Definition batch_verify.hpp:39

secp256k1::SchnorrBatchEntry::pubkey_x
std::array< std::uint8_t, 32 > pubkey_x
Definition batch_verify.hpp:38

secp256k1::SchnorrBatchEntry::signature
SchnorrSignature signature
Definition batch_verify.hpp:40

secp256k1::SchnorrSignature
Definition schnorr.hpp:25

secp256k1::SchnorrXonlyPubkey
Definition schnorr.hpp:107