zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add an appendix on RedDSA batch verification. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-07-27 21:35:40 +01:00
parent 90692541aa
commit 2f0c68b616
2 changed files with 128 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
protocol/protocol.tex
View File

@ -766,7 +766,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
% Conventions
\newcommand{\bytes}[1]{\underline{\raisebox{-0.22ex}{}\smash{#1}}}
\newcommand{\bytes}[1]{\underline{\raisebox{-0.3ex}{}\smash{#1}}}
\newcommand{\zeros}[1]{[0]^{#1}}
\newcommand{\ones}[1]{[1]^{#1}}
\newcommand{\bit}{\mathbb{B}}
@ -1253,20 +1253,23 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\RedDSADerivePublic}{\RedDSA\mathsf{.DerivePublic}}
\newcommand{\RedDSASign}[1]{\RedDSA\mathsf{.Sign}_{#1}}
\newcommand{\RedDSAVerify}[1]{\RedDSA\mathsf{.Verify}_{#1}}
\newcommand{\RedDSABatchVerify}{\RedDSA\mathsf{.BatchVerify}}
\newcommand{\RedDSABatchEntry}{\RedDSA\mathsf{.BatchEntry}}
\newcommand{\RedDSARandom}{\RedDSA\mathsf{.Random}}
\newcommand{\RedDSAGenRandom}{\RedDSA\mathsf{.GenRandom}}
\newcommand{\RedDSARandomizePublic}{\RedDSA\mathsf{.RandomizePublic}}
\newcommand{\RedDSARandomizePrivate}{\RedDSA\mathsf{.RandomizePrivate}}
\newcommand{\RedDSARandomizerId}{\Zero_{\RedDSARandom}}
\newcommand{\RedDSARandomizer}{\alpha}
\newcommand{\RedDSASigR}{R}
\newcommand{\RedDSASigS}{S}
\newcommand{\RedDSAReprR}{\bytes{R}}
\newcommand{\RedDSAReprS}{\bytes{S}}
\newcommand{\RedDSASigc}{c}
\newcommand{\RedDSASigR}[1]{R_{#1}}
\newcommand{\RedDSASigS}[1]{S_{#1}}
\newcommand{\RedDSAReprR}[1]{\bytes{\RedDSASigR{#1}}}
\newcommand{\RedDSAReprS}[1]{\bytes{\RedDSASigS{#1}}}
\newcommand{\RedDSASigc}[1]{c_{#1}}
\newcommand{\RedDSAHash}{\mathsf{H}}
\newcommand{\RedDSAHashToScalar}{\RedDSAHash^{\circledast}}
\newcommand{\RedDSAHashLength}{\ell_{\RedDSAHash}}
\newcommand{\Entry}[1]{\mathsf{entry}_{#1}}
\newcommand{\RedJubjub}{\mathsf{RedJubjub}}
\newcommand{\RedDSAAndRedJubjub}{\texorpdfstring{$\RedDSA$ and $\RedJubjub$}{RedDSA and RedJubjub}}
@ -1432,7 +1435,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}}
\newcommand{\pk}{\mathsf{pk}}
\newcommand{\vk}{\mathsf{vk}}
\newcommand{\vkBytes}{\bytes{\vk}}
\newcommand{\vkBytes}[1]{\bytes{\vk_{#1}}}
\newcommand{\ZKGen}{\mathsf{ZK.Gen}}
\newcommand{\ZKProof}{\mathsf{ZK.Proof}}
\newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}}
@ -6540,36 +6543,41 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
\begin{algorithm}
\item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$.
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
\item Let $\RedDSASigR = \scalarmult{r}{\GenG{}}$.
\item Let $\RedDSAReprR = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR}}$.
\item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
\item Let $\RedDSASigS = (r + \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M) \mult \sk) \bmod \ParamG{r}$.
\item Let $\RedDSAReprS = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS}\kern-0.16em}$.
\item Return $\RedDSAReprR \bconcat \RedDSAReprS$.
\item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$.
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR{}}}$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
\item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
\item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
\end{algorithm}
\introlist
Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typecolon \RedDSAMessage) \times
(\sigma \typecolon \RedDSASignature) \rightarrow \bit$ as:
\begin{algorithm}
\item Let $\RedDSAReprR$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
let $\RedDSAReprS$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item Let $\RedDSASigR = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR)\kern-0.1em\big)$, and
let $\RedDSASigS = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS)$.
\item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$.
\item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M)$.
\item Return $1$ if $\RedDSASigR \neq \bot$ and $\RedDSASigS < \ParamG{r}$ and
$\scalarmult{\ParamG{h}}{\big(\!\!-\scalarmult{\RedDSASigS}{\GenG{}} + \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
\item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$.
\vspace{-0.5ex}
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
\vspace{0.5ex}
\item Return $1$ if $\RedDSASigR{} \neq \bot$ and $\RedDSASigS{} < \ParamG{r}$ and
$\scalarmult{\ParamG{h}}{\big(\!\!-\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
\end{algorithm}
\vspace{-4ex}
\pnote{The verification algorithm \emph{does not} check that $\RedDSASigR$ is a point of order
at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR$ is the canonical representation
\vspace{-2ex}
\begin{pnotes}
\item The verification algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonical representation
(as output by $\reprG{}$) of a point on the curve. This is different to $\JoinSplitSigSpecific$ as specified in
\crossref{concretejssig}.
}
\item Appendix \crossref{reddsabatchverify} describes an optimization that \MAY be used to speed up
verification of batches of $\RedDSA$ signatures.
\end{pnotes}
\vspace{2ex}
\vspace{1ex}
\introlist
The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
as follows:
@ -6592,7 +6600,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism:
\vspace{1ex}
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes$ by then applying $\LEBStoOSP{\ellG{}}$).
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
\vspace{2ex}
\introlist
@ -9561,6 +9569,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Update $\RedDSA$ verification to use cofactor multiplication.
This is necessary in order for the output of batch verification to match
that of unbatched verification in all cases.
\item Add \crossref{reddsabatchverify}.
} %sapling
\end{itemize}
@ -11301,4 +11310,67 @@ cryptanalytic attention to confidently use them for \Sapling.
} %notsprout
\notsprout{
\section{Batching Optimizations} \label{batching}
\subsection{$\RedDSA$ batch verification} \label{reddsabatchverify}
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concreteredjubjub}.
Implementations \MAY alternatively use the optimized procedure described in this section to perform
faster verification of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
Its input is a sequence of $N$ \quotedterm{batch entries}, each of which is a
(public key, message, signature) triple.
\vspace{2ex}
Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
\introlist
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
\rightarrow \bit$ as:
\begin{algorithm}
\item For each $i \in \range{0}{N-1}$:
\item \tab Let $(\vk_i, M_i, \sigma_i) = \Entry{i}$.
\item \tab Let $\RedDSAReprR{i}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_i$, and
let $\RedDSAReprS{i}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item \tab Let $\RedDSASigR{i} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{i})\kern-0.15em\big)$, and
let $\RedDSASigS{i} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{i})$.
\item \tab Let $\vkBytes{i} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk_i}\kern 0.05em}$.
\item \tab Let $\RedDSASigc{i} = \RedDSAHashToScalar(\RedDSAReprR{i} \bconcat \vkBytes{i} \bconcat M_i)$.
\vspace{1ex}
\item \tab Choose random $z_i \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \vspace{-2ex}
\item Return $1$ if
\vspace{1ex}
\begin{itemize}
\item for all $i \in \range{0}{N-1}$, $\RedDSASigR{i} \neq \bot$ and $\RedDSASigS{i} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{i=0}{N-1}{(z_i \mult \RedDSASigS{i})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{i=0}{N-1}{\big(\scalarmult{z_i}{\RedDSASigR{i}} +
\scalarmult{z_i \mult \RedDSASigc{i}
\pmod{\ParamG{r}}}{\vk_i}\big)}\!\right)}
= \ZeroG{}$,
\end{itemize}
\vspace{-0.5ex}
otherwise $0$.
\end{algorithm}
The $z_i$ values \MUST be chosen independently of the batch entries.
The performance benefit of this approach arises partly from replacing the per-signature
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
and partly from using an efficient algorithm for multiscalar multiplication such
as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRooij1995}, as explained in
\cite[section 5]{BDLSY2012}.
\pnote{Spend authorization signatures (\crossref{concretespendauthsig}) and
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases;
there will be one
$\bigscalarmult{\ssum{i}{}{(z_i \mult \RedDSASigS{i}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote
} %notsprout
\end{document}

29
protocol/zcash.bib
View File

@ -200,6 +200,35 @@ Proceedings of the 9th International Conference on Theory and Practice in Public
addendum={Document ID: a1a62a2f76d23f65d622484ddd09caf8.}
}
@misc{Bernstein2001,
presort={Bernstein2001},
author={Daniel Bernstein},
title={Pippenger's exponentiation algorithm},
url={https://cr.yp.to/papers.html#pippenger},
urldate={2018-07-27},
date={2001-12-18},
addendum={Draft. To be incorporated into the author's \textsl{High-speed cryptography} book.
Error pointed out by Sam Hocevar: the example in Figure 4 needs $2$ and is thus of length $18$.},
}
@inproceedings{deRooij1995,
presort={deRooij1995},
author={Peter {de Rooij}},
title={Efficient exponentiation using precomputation and vector addition chains},
booktitle={Advances in Cryptology - EUROCRYPT~'94.
Proceedings, Workshop on the Theory and Application of Cryptographic Techniques
(Perugia, Italy, May~9--12, 1994)},
volume={950},
series={Lecture Notes in Computer Science},
editor={Alfredo {De Santis}},
pages={389--399},
publisher={Springer},
isbn={978-3-540-60176-0},
doi={10.1007/BFb0053453},
url={https://link.springer.com/chapter/10.1007/BFb0053453}, % full text
urldate={2018-07-27}
}
@misc{BBJLP2008,
presort={BBJLP2008},
author={Daniel Bernstein and Peter Birkner and Marc Joye and Tanja Lange and Christiane Peters},