Pages:
Author

Topic: Speeding up verification of digital signatures - page 2. (Read 1413 times)

sr. member
Activity: 430
Merit: 250
Using double-and-add one multiplication with n requires O(log(n)) additions. I don't think there are more efficient methods.

Is that log2?  If so, then a multiply "costs" 128 adds?
Yes, that would be the binary logarithm.

Time is proportional to the number of unique public keys.  For bitcoin, all the transactions would have different public keys, so the speed up is at most 2X.
That is correct, the question is if this is significant enough to bother with it.
newbie
Activity: 36
Merit: 0
Relevant part of the introduction:

' In this paper, we propose three algorithms to verify original ECDSA signatures in batches. Our algorithms apply to all cases of ECDSA signatures sharing the same curve parameters, although we obtain good speedup figures when all the signatures in the batch come from the same signer.
Our algorithms are effective only for small batch sizes'
legendary
Activity: 1232
Merit: 1094
Using double-and-add one multiplication with n requires O(log(n)) additions. I don't think there are more efficient methods.

Is that log2?  If so, then a multiply "costs" 128 adds?

Quote
Adding another bit to the r-values to determine the points on the curve would be a very elegant solution, something to consider if it provides a significant improvement.

Time is proportional to the number of unique public keys.  For bitcoin, all the transactions would have different public keys, so the speed up is at most 2X.
sr. member
Activity: 430
Merit: 250
What is the relative time for adds and multiplies?

Using double-and-add one multiplication with n requires O(log(n)) additions. I don't think there are more efficient methods.

Adding another bit to the r-values to determine the points on the curve would be a very elegant solution, something to consider if it provides a significant improvement.
legendary
Activity: 1232
Merit: 1094
See equation 3 of the naive algoritm, because the curve point multiplication with base point P is done only once per batch of signatures it offers at least about 2x the speedup in any case.

They have a problem that the signature is (r, s) which is 2 integers (mod p).

You need to verify

sum(R) = sum(u * G) + sum(v * Q)

or

sum(R) = sum(u) * G + sum(v * Q)

The problem is that you don't have R.  The parameter r is the x-coord of R.

R means y^2 = r^3 + a*r + b mod p

That gives you 2 y's for each r value.

They suggest trying all permutations.

If you do a batch of 4, that gives 16 attempts to find R.

sum(u) * G => 3 integer adds and a point multiply
sum(v * Q) => 4 point multiplies and 3 point adds

Each R guess requires 3 point adds and 8 on average means 24 point adds.

It also requires a square root step.

Total
5 point multiplies
27 point adds

Normal:
8 point multiplies
1 point add

The batch method has 3 fewer multiplies but 19 more adds. 

What is the relative time for adds and multiplies?
sr. member
Activity: 430
Merit: 250
The idea of a batch system sounds cool though.  It looks like it only works if the same public key is used for all signatures?
See equation 3 of the naive algoritm, because the curve point multiplication with base point P is done only once per batch of signatures it offers at least about 2x the speedup in any case.
legendary
Activity: 1232
Merit: 1094
The client doesn't use the "fastest" possible implementation.  It just uses a standard openSSL elliptic curve implementation.

The have to balance speed against security.

The idea of a batch system sounds cool though.  It looks like it only works if the same public key is used for all signatures?
sr. member
Activity: 406
Merit: 251
http://altoidnerd.com
Bump. We need a math board.
newbie
Activity: 36
Merit: 0
I understand that downloading and verifying the blockchain takes time.
As regards to verification, I believe that most time is spent checking digital signatures.
Has anyone looked at batch verification of ECDSA signatures ?
Here is a starting point: http://cse.iitkgp.ac.in/~abhij/publications/AfricaCrypt12-ECDSA-bv.pdf

PS: After a cursory check, I did not find an implementation of these algotirthms.
Pages:
Jump to: