Add an experimental batch module #1134

pull siv2r wants to merge 11 commits into bitcoin-core:master from siv2r:batch-verify-interface changing 38 files +2272 −75
  1. siv2r commented at 8:55 am on August 21, 2022: contributor

    Overview

    This PR adds support for batch verifying Schnorr signatures and tweaked x-only public key checks. It is based on the work of @jonasnick in #760.

    Batch Verification

    This implementation does not strictly follow the BIP340 batch verification spec. The API design is loosely based on this suggestion: #760 (comment). Prior development discussion of this PR can be found in siv2r/secp256k1#2.

    Speed Up

    • batch verifying Schnorr signatures is 20% faster - graph here
    • batch verifying tweak pubkey checks is 50% faster - graph here

    Fixes #1087

  2. siv2r commented at 9:02 am on August 21, 2022: contributor

    This implementation does not strictly follow the BIP340 batch verification spec.

    For example,

    • the random numbers (or randomizers) aren’t generated by passing a seed (hash of all inputs) to CSPRNG
    • allows mixing of schnorrsig and tweak checks
    • uses the tag “BIP0340/batch” for initializing the sha256 obj (not in the BIP340 specs)

    Alternative Design Options

    • batch module design
    • Delayed randomizer generation
      • the current code generates a randomizer just after a user enters input (in _batch_add_*)
      • we could instead generate them (in batch_verify) after the user enters all their input
      • Pros: follows bip340 specs. Cons: consumes more memory.
      • more info: #1087 (comment) and here
    • Use BLAKE256 instead of SHA256 for generating randomizers (to improve speed).
    • In _batch_create, we could:
      • Get memory size instead of max_terms.
      • Provide pre-determined sizes (small, medium, and large) instead of max_terms.
        • Better test coverage?
  3. siv2r commented at 9:03 am on August 21, 2022: contributor

    Questions

    • Streaming batch API (this PR) vs Single call batch API?
    • Is transparent verification required?
      • the current code implements transparent verification (inside batch_add_* APIs)
      • without transparent verification, the user needs to check for space in the batch before calling _batch_add APIs:
      0if (batch_enough_space_for_schnorrsig) {
1  batch_add_schnorrsig()
2}
    • On an empty batch, Should _batch_verify return 0 or 1?
      • the current code returns 1
        • simple implementation
      • if we want to return 0
        • needs an extra param in batch to avoid ANDing the result with its initial value
        • provides better security?
    • xonly_pubkey_tweak_add_check recommends ctx to be initialized for verification, but it can work even if ctx is initialized as none.
      • Since batch_add_tweak_xonlypub_check is based on tweak_add_check, should it also recommend that ctx be initialized for verification?
      • Can it recommend that ctx be initialized for none instead?
    • A better name for secp256k1_batch_usable?
      • the current name is confusing
      • here, “usable” means if the batch can be used by the batch_add_* functions
  4. siv2r force-pushed on Aug 21, 2022
  5. siv2r commented at 10:35 am on August 21, 2022: contributor
    In extrakeys/bench_impl.h, cast pointers to (void *) before freeing to avoid MSVC warning.
  6. in doc/speedup-batch/bench_output.txt:5 in eb49e93b50 outdated 
    0@@ -0,0 +1,137 @@
1+Benchmark                          ,    Min(us)    ,    Avg(us)    ,    Max(us)    
2+
3+schnorrsig_sign                    ,    50.4       ,    50.5       ,    50.7    
4+schnorrsig_verify                  ,    89.1       ,    89.2       ,    89.3    
5+schnorrsig_batch_verify_1          ,   104.0       ,   104.0       ,   104.0
    sipa commented at 5:11 pm on August 23, 2022:
    batch_verify_1 shouldn’t be slower than non-batch verify. Is it possible to revert to using non-batch validation logic for this case?
    siv2r commented at 10:29 pm on August 23, 2022:

    Not possible with the current design.

    The non-batch validation (secp256k1_schnorrsig_verify) logic looks something like this:

    • calc rj using secp256k1_ecmult: Rj = sG - eP
    • convert rj (gej) to r (ge)
    • check if the r.x = sig[0:32] and r.y = even

    one schnorrsig occupies two points in the batch, and one tweak check occupies one point in the batch. If a batch contains two points, there is no guarantee that they are from a schnorrsig (R, P). It could be from two tweak checks. So, we can’t use the r.y = even check.

    Hence, I tried implementing a slightly modified schnorrsig_verify logic (not implement in this PR):

    • calc neg_rj using secp256k1_ecmult: neg_Rj = -s*G + batch.scalars[1]*batch.points[1]
    • check if neg_rj + batch.points[0] == inf using _gej_add_var
      • batch.scalars[0] = 1 always. So, we don’t need to use ecmult again

    This gives somewhat better benchmarks than before:

    0Benchmark                          ,    Min(us)    ,    Avg(us)    ,    Max(us)    
1
2schnorrsig_sign                    ,    49.1       ,    50.1       ,    53.4    
3schnorrsig_verify                  ,    86.6       ,    87.2       ,    88.4    
4schnorrsig_batch_verify_1          ,    94.7       ,    95.0       ,    95.2

    But schnorrsig_batch_verify_1 is still slower than schnorrsig_verify.

  7. jonasnick commented at 2:43 pm on August 24, 2022: contributor

    This implementation does not strictly follow the BIP340 batch verification spec. […] the random numbers (or randomizers) aren’t generated by passing a seed (hash of all inputs) to CSPRNG

    The security argument for batch verification should relatively easily translate to the approach in this PR.

    Is transparent verification required?

    I initially wasn’t a fan of transparent verification because developers generally want to know how long a certain function call takes and don’t want to be surprised by some batch_add calls taking much longer than others. But I changed my mind on this.

    The batch verification API right now is used as follows:

    0for (i = 0; i < N_SIGS; i++) {
1    if(!batch_usable(batch) || !batch_add_schnorrsig(batch, sig[i], msg[i], sizeof(msg[i]), &pk)) {
2        return 0;
3    }
4}
5if(!batch_verify(ctx, batch)) {
6    return 0;
7}

    Without TV, then one option is to have the user create a batch that is large enough. Of course that’s not alway possible because the batch can get larger than the available memory. Moreover, this would require adding an API that, given a number of schnorrsigs and tweaks (and more in the future) returns the size of the required batch. That seems way more complicated than TV.

    If there’s no TV and the batch is not guaranteed to be large enough, then users need to essentially reimplement something like transparent verification:

     0for (i = 0; i < N_SIGS; i++) {
 1    if(!schnorrsig_batch_has_space(batch)) {
 2        if(!batch_verify(batch)) {
 3            return 0;
 4        }
 5    }
 6    if (!batch_add_schnorrsig(batch, sig[i], msg[i], sizeof(msg[i]), &pk)) {
 7        return 0;
 8    }
 9}
10if(!batch_verify(ctx, batch)) {
11    return 0;
12}
    1. This is more code compared to having TV built into batch_add.
    2. *_batch_has_space is specific to whatever you’re trying to add to the batch, i.e., we would also have to add tweak_has_space, for example.
    3. The batch_usable function in the current implementation (with TV) only allows for earlier aborts and is not essential (unless you want to determine if a batch_add failed because its input is obviously malformed or because the previous batch_add triggered a batch_verify that failed).
    4. If users don’t want to use TV (for whatever reason), then they don’t have to - even in the current implementation. This requires counting the terms that have been added to the batch and verifying before it’s full (perhaps we can make this simpler).

    xonly_pubkey_tweak_add_check recommends ctx to be initialized for verification, but it can work even if ctx is initialized as none. […] Since batch_add_tweak_xonlypub_check is based on tweak_add_check, should it also recommend that ctx be initialized for verification?

    I don’t think so. #1126 removes “initialized for verification” from the API docs of xonly_pubkey_tweak_add_check. For consistency it would be better if you’d remove “(can be initialized for none)” from the API doc.

  8. real-or-random commented at 6:54 pm on August 24, 2022: contributor
    I haven’t had a closer look yet but I agree with @jonasnick’s comments about TV.
  9. fjahr commented at 7:54 pm on December 25, 2022: contributor
    @siv2r Are you still working on this topic? Do you plan to address @jonasnick ’s comments?
  10. siv2r commented at 6:34 am on December 26, 2022: contributor

    @fjahr, this PR needs review from other contributors regarding the (batch API) design decision made here. The #1134#pullrequestreview-1083948472 comment showed its support for the “Transparent Verification” feature, which was implemented.

    IIRC, two documentation changes are required (at the time of writing):

    • remove “initialized for verification” from the batch_add_tweak_xonlypub_check doc.
    • document that batch_verify_1 is slower than schnorrsig_verify (see #1134 (comment)).

    I avoided making these changes immediately to keep the commit history clean for reviewers. I would be happy to work on any required changes after it gets enough review.

  11. in src/modules/batch/main_impl.h:197 in eb49e93b50 outdated 
    192+        int strauss_ret = secp256k1_ecmult_strauss_batch_internal(&ctx->error_callback, batch->data, &resj, batch->scalars, batch->points, &batch->sc_g, batch->len);
193+        int mid_res = secp256k1_gej_is_infinity(&resj);
194+
195+        /* `_strauss_batch_internal` should not fail due to insufficient memory.
196+         * `batch_create` will allocate memeory needed by `_strauss_batch_internal`. */
197+        VERIFY_CHECK(strauss_ret != 0);
    fjahr commented at 11:57 pm on February 27, 2024:
    Getting an unused variable warning about strauss_ret here when building this as part of bitcoin core, probably because the check is removed with optimizations?
    real-or-random commented at 2:28 pm on February 28, 2024:
    The macro VERIFY_CHECK(code) is defined to be the empty string in production builds, that’s why you need to suppress the warning using (void)strauss_ret;.
  12. in include/secp256k1_batch.h:27 in eb49e93b50 outdated 
    22+ *
23+ *  The purpose of this structure is to store elliptic curve points, their scalar
24+ *  coefficients, and scalar coefficient of generator point participating in Multi-Scalar
25+ *  Point Multiplication computation, which is done by `secp256k1_ecmult_strauss_batch_internal`
26+ */
27+typedef struct secp256k1_batch_struct secp256k1_batch;
    fjahr commented at 11:59 pm on February 27, 2024:

    secp256k1_batch isn’t part of the API yet it seems.

    0SECP256K1_API const secp256k1_batch *secp256k1_batch_struct;
    siv2r commented at 1:01 pm on February 28, 2024:
    Why do we need this? Currently, users can only create pointers to the secp256k1_batch object, which is the intended functionality of opaque objects, right?
    fjahr commented at 3:20 pm on February 28, 2024:
    Hm, never mind, it seems it’s not needed anymore with the latest version of my bitcoin core code.
  13. fjahr commented at 0:02 am on February 28, 2024: contributor

    I have opened a draft PR for using this in bitcoin core: https://github.com/bitcoin/bitcoin/pull/29491

    Here is a rebased branch of the code that I am using: https://github.com/fjahr/secp256k1/tree/pr1134-rebase-2024

    I hope this can create some new interest and motivate people to review here as well.

  14. real-or-random added the label feature on Feb 28, 2024
  15. real-or-random added the label performance on Feb 28, 2024
  16. in src/modules/batch/tests_impl.h:62 in eb49e93b50 outdated 
    66+    secp256k1_batch *batch_none;
67+    secp256k1_batch *batch_sign;
68+    secp256k1_batch *batch_vrfy;
69+    secp256k1_batch *batch_both;
70+    secp256k1_batch *batch_sttc;
71+    unsigned char aux_rand16[32];
    fjahr commented at 3:21 pm on February 28, 2024:

    Getting another warning here when compiling together with Bitcoin Core:

    0src/modules/batch/tests_impl.h:68:19: warning: mixing declarations and code is a C99 extension [-Wdeclaration-after-statement]
1    unsigned char aux_rand16[32];
2                  ^
    sipa commented at 3:42 pm on December 7, 2024:
    In C89 all the variable declarations must precede statements within any block.
    fjahr commented at 7:31 pm on December 7, 2024:
    Thanks @sipa, yeah, I should have added that I have this fixed now in my rebase branch: https://github.com/fjahr/secp256k1/commit/7c6b9df9ec8fe20fb228ead90d494e95f18c8344#diff-fa3fe2044a5385d080fb813c89c9d0707b50ec7083cef9cd9c114b1f2e5483c3R41
  17. fjahr commented at 10:07 pm on December 3, 2024: contributor

    Here is a rebased branch of the code that I am using: https://github.com/fjahr/secp256k1/tree/pr1134-rebase-2024

    FWIW, I have updated the rebased code recently and also added the changes necessary to build the module with cmake.

  18. ryanofsky referenced this in commit b9c281011b on Mar 23, 2025
  19. siv2r force-pushed on Jul 4, 2025
  20. siv2r commented at 7:41 am on July 4, 2025: contributor
    Just updated the PR on top of the current master and added a CMake build option. Planning to work on Pippenger next. Would appreciate any reviews in the meantime. I’ll fix the failed CI checks soon.
  21. in README.md:25 in 410abb205a outdated 
    21@@ -22,6 +22,7 @@ Features:
22 * Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
23 * Optional module for ElligatorSwift key exchange according to [BIP-324](https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki).
24 * Optional module for MuSig2 Schnorr multi-signatures according to [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki).
25+* Optional module for Batch Verification (experimental).
    fjahr commented at 6:12 pm on July 6, 2025:
    Could also mention “according to BIP340” here since batch verification is also specified there.
    siv2r commented at 8:32 am on September 26, 2025:

    Thanks. I’ll update this to say “BIP340-compatible batch verification”.

    The main reason I didn’t mention BIP340 initially was that this module doesn’t strictly follow the specification. BIP340 requires generating randomizers by seeding ChaCha20 with the hash of all inputs, but with our API design, we don’t know all the inputs beforehand. So we simply hash whatever inputs we have at the time.

    We could technically defer randomizer generation until the verify function runs, so we’d know all inputs before creating the randomizer. But with transparent verification involved, there’s no guarantee that users will stop adding inputs after the verify function is called. So, I don’t see any huge benefit.

  22. in ci/ci.sh:83 in 410abb205a outdated 
    79@@ -80,6 +80,7 @@ esac
80     --enable-module-extrakeys="$EXTRAKEYS" \
81     --enable-module-schnorrsig="$SCHNORRSIG" \
82     --enable-module-musig="$MUSIG" \
83+    --enable-module-batch="$BATCH"
    fjahr commented at 6:17 pm on July 6, 2025:
    Missing \ here?
    siv2r commented at 5:23 pm on July 29, 2025:
    Ah, yes. This is one of the reasons the CI fails. Thanks!
  23. in src/tests.c:5012 in 410abb205a outdated 
    5007+    *inp_len = filled;
5008+    /* number of non-zero (scalars, points) inputs */
5009+    *nonzero_inp_len = num_nonzero;
5010+    /* ptr to g_scalar*/
5011+    g_scalar = g_scalar_ptr;
5012+    /* is mulciplicand of g nonzero? */
    fjahr commented at 6:29 pm on July 6, 2025:

    nit: typo

    0    /* is multiplicand of g nonzero? */
  24. in src/modules/schnorrsig/tests_impl.h:266 in 410abb205a outdated 
    262@@ -242,6 +263,9 @@ static void test_schnorrsig_bip_vectors(void) {
263         };
264         test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
265         test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
266+        #ifdef ENABLE_MODULE_BATCH
    fjahr commented at 6:36 pm on July 6, 2025:
    nit: Not sure if that is something that would be popular but I think you could limit these ifdefs to just the test function itself by just having the function body be enclosed in an batch ifdef. At least that would save a few lines of code. Just an idea though, this doesn’t bother me much.
  25. in src/modules/batch/main_impl.h:31 in 410abb205a outdated 
    26+ *       sc_g: scalar corresponding to the generator point (G) in Multi-Scalar
27+ *             Multiplication equation.
28+ *     sha256: contains hash of all the inputs (schnorrsig/tweaks) present in
29+ *             the batch object, expect the first input. Used for generating a random secp256k1_scalar
30+ *             for each term added by secp256k1_batch_add_*.
31+ *     sha256: contains hash of all inputs (except the first one) present in the batch.
    fjahr commented at 7:14 pm on July 6, 2025:
    sha256 arg is listed twice here
  26. in src/modules/batch/main_impl.h:126 in 410abb205a outdated 
    121+        /* create scratch space inside batch object, if that fails return NULL*/
122+        batch->data = secp256k1_scratch_create(&ctx->error_callback, batch_scratch_size);
123+        if (batch->data == NULL) {
124+            return NULL;
125+        }
126+        /* allocate memeory for `max_terms` number of scalars and points on scratch space */
    fjahr commented at 7:15 pm on July 6, 2025:

    nit

    0        /* allocate memory for `max_terms` number of scalars and points on scratch space */
  27. in include/secp256k1_batch.h:94 in 410abb205a outdated 
    89+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
90+
91+/** Verify the set of schnorr signatures or tweaked pubkeys present in the secp256k1_batch.
92+ *
93+ *  Returns: 1: every schnorrsig/tweak (in batch) is valid
94+ *           0: atleaset one of the schnorrsig/tweak (in batch) is invalid
    fjahr commented at 7:17 pm on July 6, 2025:

    nit

    0 *           0: at least one of the schnorrsig/tweak (in batch) is invalid
  28. in include/secp256k1_batch.h:86 in 410abb205a outdated 
    81+ *
82+ *  If you ignore the above advice, all the secp256k1_batch APIs will still
83+ *  work correctly. It simply makes it hard to understand the reason behind
84+ *  `secp256k1_batch_add_*` failure (if occurs).
85+ */
86+SECP256K1_API int secp256k1_batch_usable(
    fjahr commented at 7:29 pm on July 6, 2025:
    I understand the rationale given here but I am still not sure we really need this function. As far as I understand this only returns what result is set to and only the verify function could set result to false. So this means for this to be useful, the user would first need to have called verify and ignored the result. I am not sure in which context this would really be needed, maybe in some concurrency scenarios? But even then it feels like users should be handling that differently. Happy to be convinced otherwise but currently I would vote to remove it if there isn’t some use case I am missing.
    siv2r commented at 8:09 am on September 26, 2025:

    Good question! The verify function isn’t just called by users - it can also be called internally by the batch_add_ APIs. We call this transparent verification.

    Here’s how it works: when a user creates a batch with batch_create, they specify a capacity for n items (schnorrsig or tweak checks). If they try to add more items than the capacity, the batch_add_ APIs automatically run verification and clear out the batch object so the user can keep adding items.

    Now, if this intermediate verification call fails, there’s no point in continuing to add more items to the batch object because the final verify (that the user will call) is going to fail anyway. With this API, users can detect the intermediate verification failure and abort early.

    Beyond this scenario, the API doesn’t have much practical use. Users who know they’ll stay within their batch capacity probably won’t need this API. Since we don’t provide a batch_storage_left API to show how many more items they can add, users might accidentally exceed the capacity without realizing it?

    siv2r commented at 8:09 am on September 26, 2025:
    I think the documentation doesn’t explain this properly. I’ll be sure to update them.
    jonasnick commented at 1:03 pm on October 20, 2025:

    Now, if this intermediate verification call fails, there’s no point in continuing to add more items to the batch object because the final verify (that the user will call) is going to fail anyway. With this API, users can detect the intermediate verification failure and abort early.

    If there is intermediate verification failure, wouldn’t users already detect that because the *_add function fails? There is already a branch right at the start of secp256k1_batch_add_schnorrsig that makes the function fail if the intermediate result is 0: https://github.com/bitcoin-core/secp256k1/blob/569c06f2af7f94f452855fe86117c1713a35e104/src/modules/schnorrsig/batch_add_impl.h#L93-L95

    What appears to be inconsistent right now is when secp256k1_batch_add_schnorrsig does internal verification of the batch, the return value is ignored. https://github.com/bitcoin-core/secp256k1/blob/569c06f2af7f94f452855fe86117c1713a35e104/src/modules/schnorrsig/batch_add_impl.h#L113-L115

    If secp256k1_batch_add_schnorrsig would return 0 in that case, I don’t see a use for batch_unusable.

    EDIT: see below for a different API proposal

  29. fjahr commented at 7:37 pm on July 6, 2025: contributor
    Thanks for the update @siv2r! Leaving a few comments from a superficial read-through. I will integrate the latest code into the Bitcoin Core PR and take a deeper look soon.
  30. batch: Initialize an experimental batch module 
    This commit adds the foundational configuration, build scripts,
and an initial structure for experimental batch module.
    a11ce30134
  31. batch: Add create and destroy APIs 
    This commit adds the batch_create and batch_destroy APIs.
Relevant Links:
1. batch_scratch_size allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312.
2. aux_rand16 param in batch_create enables synthetic randomness for
randomizer generation: https://github.com/sipa/bips/issues/204.
    d9cb57fc10
  32. batch, ecmult: Add batch_verify and refactor strauss_batch 
    This commit refactors ecmult_strauss_batch and adds _batch_verify API.

The current ecmult_strauss_batch only works on empty scratch space. To
make batch_verify compatible, we need ecmult_strauss_batch to support a
scratch space pre-filled with scalars and points. So, it was refactored
to do exactly that.

The batch_verify API always uses the Strauss algorithm. It doesn't switch
to Pippenger (unlike ecmult_multi_var). ecmult_pippenger_batch represents
points as secp256k1_ge whereas ecmult_strauss_batch represents points as
secp256k1_gej. This makes supporting both Pippenger and Strauss difficult
(at least with the current batch object design). Hence, batch_verify only
supports Strauss for simplicity.
    e01fcdae95
  33. batch: Add batch_add_* APIs 
    This commit adds the batch APIs:

1. batch_add_schnorrsig
    Adds a Schnorr signature to the batch.

2. batch_add_xonlypub_tweak_check
	Adds a tweaked x-only pubkey check to the batch.

3. batch_usable
	Checks if a batch can be used by _batch_add_* APIs.

**Side Note:**
Exposing batch_add_schnorrsig in the secp256k1_schnorrsig.h header
file (with batch module header guards) will force the user to define
ENABLE_MODULE_BATCH during their code compilation. Hence, it is in a
standalone secp256k1_schnorrsig_batch.h header file. A similar argument
could be made for batch_add_xonlypub_tweak_check.
    f1bf993798
  34. batch: Add example 
    This commit adds an example C program using the batch API.

GNU Autotools and CMake will compile this example only if both batch and
schnorrsig modules are enabled.
    ff9ea3bddd
  35. batch,ecmult: Add tests for core batch APIs and strauss_batch refactor 
    This commit adds the following tests:
	1. GitHub workflow
	2. Batch API tests (ordered)
	3. Tagged SHA256 test
	4. BIP340 test vectors: https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv
	5. Large random test for `strauss_batch` refactor
    b258b74d29
  36. batch: Add tests for batch_add_* APIs 
    This commit adds the following tests:
	1. Random bitflip test for randomizer generating function
	2. Random bitflip in Schnorr Signature (batch_add_schnorrsig test)
	3. NULL arg tests (for both batch_add APIs)
    086d1b6be1
  37. batch, extrakeys: Add benchmarks 
    This commit adds benchmarks for:
    1. Batch verifying Schnorr signatures
    2. Batch verifying tweaked pubkey checks
    3. Normal tweaked pubkey check in extrakeys module

For batch verify benchmark, the number of sigs (or checks) in the batch
varies from 1 to SECP256K1_BENCH_ITERS with a 20% increment.
    00c6950a66
  38. batch: Generate speedup graphs 
    This commit generates two semi-log graphs that visualize the batch
verification speed up over single verification (y-axis) wrt the number
of signatures (or tweak checks) in the batch (x-axis). The input data
points are taken from the batch verify benchmark.

GNU plot was used to generate these graphs (plot.gp file). The instructions
to reproduce these graphs (on your local machine) are given in
doc/speedup-batch.md file.

The value of `STRAUSS_MAX_TERMS_PER_BATCH` was calculated (approx) from
the generated graphs.
Relevant discussion: https://github.com/siv2r/secp256k1/pull/2#issuecomment-1211585236
    bf8169954c
  39. test: fix ci failures 8d5cf82f2c
  40. siv2r force-pushed on Aug 10, 2025
  41. fjahr commented at 1:51 pm on September 4, 2025: contributor
    @siv2r I think you can drop the experimental status of the module from this PR. The flag is signalling potential API instability and while that is certainly still the case within this PR now, I think this will not be the case anymore once this PR is in a position to be merged. Once it is merged, we might start using it in Bitcoin Core soon after and dealing with the experimental flag would be annoying in this case and arguably once the code here is used for block validation it should probably not be considered experimental anymore. For comparison: The silent payments module PR also doesn’t mark the module experimental at the moment.
  42. siv2r commented at 5:10 pm on September 4, 2025: contributor
    I agree. I was wondering whether it should be removed or not, and your points make a lot of sense. Will remove it.
  43. batch: remove experimental status 569c06f2af
  44. siv2r commented at 5:35 pm on September 25, 2025: contributor

    I’m re-thinking some of the earlier design choices. Would appreciate some feedback on them.

    Here’s how it currently works:

    1. User creates a batch object with create
    2. Adds verification checks using add_schnorrsig and add_tweak_check
      • These store scalar-point pairs from Schnorr signature checks (s*G = R + e*P) and tweak checks (Q = P + t*G)
    3. Runs verification with batch_verify

    There are a couple features:

    • Transparent Verification: When the batch object gets full and user tries to add more schnorrsig/tweak checks, it automatically runs verification, stores the result, and clears the scratch space so they can keep adding more checks.
    • Pre defined sizes (suggested by @jonasnick, not implemented yet): Instead of letting users create batch objects with any arbitrary n value, we could offer preset sizes like SMALL, MEDIUM, and LARGE.

    Right now the batch module only supports Strauss (it calls ecmult_strauss_batch internally), and I’m exploring how to add Pippenger support.

    My first thought was: what if we just call ecmult_multi_var directly in the batch_verify API? This would let ecmult_multi_var handle choosing between Strauss or Pippenger, which seems like it would solve our problem pretty cleanly.

    But there’s an issue - our current batch object doesn’t meet the requirements that ecmult_multi_var expects. The function needs an empty scratch space from its callers, but our batch object pre-fills the scratch space with n scalar-point pairs, and ecmult_multi_var doesn’t recognize these pre-filled scalar-point pairs.

    When we want to multi-multiply n scalar-point pairs using ecmult_multi_var, our caller needs to provide three things:

    1. Callback data (cbdata): A caller-defined data structure that stores the n scalar-point pairs (in whatever format works for the caller)
    2. Callback function: A caller-defined function that extracts a single scalar-point pair from cbdata for each index i < n
    3. Empty scratch space: ecmult_multi_var partitions the n inputs into batches that fit in this scratch space. It then runs either Strauss or Pippenger per batch. These algorithms stream n_batch_points scalar-point pairs into the scratch space by repeatedly calling the callback function on cbdata with incremental indices.

    We have two ways of designing the batch object:

    Design 1: Have only one scratch space that is pre-filled with scalar-point pairs and call strauss_ecmult_batch or pippenger_ecmult_batch internally. This pull request attempts this design.

    Design 2: Have two scratch spaces - one that is pre-filled with scalar-point pairs and another that stays empty. Now we can call ecmult_multi_var with the empty scratch space and use the pre-filled scratch space as our cbdata.

    At first glance, Design 1 seems more memory efficient since it only uses one scratch space. I started implementing this design without much hesitation, but it has some problems.

    It’s not straightforward to design a pre-filled scratch space that works with both ecmult_strauss_batch and ecmult_pippenger_batch. Strauss stores the n scalar-point pairs as-is in the scratch space, while Pippenger splits each pair (GLV endomorphism), so it stores 2n+2 points in the scratch space. Trying to create a generic scratch space that handles both feels like re-implementing the ecmult_multi_var function all over again.

    So, are we better off implementing Design 2?

    Alternatively, we could refactor ecmult_multi_var to recognize a pre-filled scratch space, though I’m not sure about the implementation details. My concern is that this might make the API more complicated.

    The issue with Design 2 is that it seems to copy data from one scratch space to another. When we give ecmult_multi_var two scratch spaces, it copies the n scalar-point pairs from the pre-filled one to the empty one using our callback function. Though with Pippenger, it’s not a direct copy since it splits each pair first. But maybe we’re okay with this overhead?

    TLDR: Is Design 2 the way to go? Or should we consider refactoring ecmult_multi_var?

  45. in doc/speedup-batch/bench.sh:1 in 569c06f2af 
    0@@ -0,0 +1,13 @@
1+#!/bin/bash
    jonasnick commented at 4:06 pm on October 17, 2025: 
    0#!/usr/bin/env bash
  46. in src/modules/schnorrsig/bench_impl.h:67 in 569c06f2af 
    62+    for (j = 0; j < iters/data->n; j++) {
63+        for (i = 0; i < data->n; i++) {
64+            secp256k1_xonly_pubkey pk;
65+            CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pk[j+i]) == 1);
66+            CHECK(secp256k1_batch_usable(data->ctx, data->batch) == 1);
67+            CHECK(secp256k1_batch_add_schnorrsig(data->ctx, data->batch, data->sigs[j+i], data->msgs[j+i], MSGLEN, &pk) == 1);
    jonasnick commented at 12:38 pm on October 20, 2025:
    Shouldn’t the array elements in this block be indexed as [j*data->n + i] (same for tweak checks)?
  47. jonasnick commented at 3:31 pm on October 20, 2025: contributor

    I noticed that @fjahr’s PR to Core redefines our internal macro STRAUSS_MAX_TERMS_PER_BATCH and doesn’t use the transparent verification feature, which may indicate that we can improve our API design or documentation.

     0// This is the maximum number of scalar-point pairs on the batch for which
 1// Strauss' algorithm, which is used in the secp256k1 implementation, is
 2// still efficient. TODO: This will be changed when Pippenger algorithm is
 3// being used in the secp implementation too.
 4const size_t MAX_BATCH_SIZE{106};
 5
 6BatchSchnorrVerifier::BatchSchnorrVerifier() {
 7    unsigned char rnd[16];
 8    GetRandBytes(rnd);
 9    secp256k1_batch* batch{secp256k1_batch_create(secp256k1_context_static, MAX_BATCH_SIZE, rnd)};
10    m_batch = batch;
11}
  48. jonasnick commented at 8:35 am on October 28, 2025: contributor

    Some of the regular contributors discussed this PR in person and we landed on the following proposal for the API:

     0/* Change the max_terms argument to max_memory. This does not really work with
 1 * our current implementation of ecmult_multi, but we came up with a plan
 2 * to fix this. So, we'd need to refactor ecmult_multi first before switching to
 3 * the max_memory argument. */
 4SECP256K1_API secp256k1_batch* secp256k1_batch_create(
 5    const secp256k1_context* ctx,
 6    size_t max_memory,
 7    const unsigned char *aux_rand16
 8) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT;
 9
10/* This function allows processing a new batch without reallocating memory for
11 * the terms. It would set batch->len = 0 and batch->result = 1. */
12SECP256K1_API int secp256k1_batch_reset(
13    const secp256k1_context *ctx,
14    secp256k1_batch *batch
15) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
16
17/* batch_destroy and batch_verify are the same as in the current API.
18 * batch_verify returns 1 for an empty batch. batch_usable is removed. */

     0/* Change the return type to void. If batch->result == 0, then return
 1 * immediately. If parsing or transparent verification fails, set batch->result
 2 * to 0 and return. */
 3SECP256K1_API void secp256k1_batch_add_schnorrsig(
 4    const secp256k1_context* ctx,
 5    secp256k1_batch *batch,
 6    const unsigned char *sig64,
 7    const unsigned char *msg,
 8    size_t msglen,
 9    const secp256k1_xonly_pubkey *pubkey
10) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(6);

    This API is very simple for the caller. They need to always call verify, which minimizes the number of branches.

    0for (i = 0; i < N_SIGS; i++) {
1    batch_add_schnorrsig(batch, sig[i], msg[i], sizeof(msg[i]), &pk);
2}
3if(!batch_verify(ctx, batch)) {
4    return 0;
5}
  49. jonasnick commented at 8:36 am on October 28, 2025: contributor
    By the way, I vibe-coded pippenger support into the current PR, which resulted in a 1.75x speedup for 17,000 signatures.


siv2r sipa jonasnick real-or-random fjahr

Labels
feature performance

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-11-04 10:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me