Choose batch randomizers in range [-2^127, 2^127-1]

H/T roconnor-blockstream for this idea

Author: jonasnick

doc/speedup-batch/bench_output.txt

@@ -1,67 +1,67 @@
-schnorrsig_sign: min 24.5us / avg 24.6us / max 24.6us
-schnorrsig_verify: min 42.1us / avg 42.1us / max 42.2us
-schnorrsig_batch_verify_1: min 50.2us / avg 50.3us / max 50.3us
-schnorrsig_batch_verify_2: min 43.5us / avg 43.5us / max 43.5us
-schnorrsig_batch_verify_3: min 41.1us / avg 41.1us / max 41.1us
-schnorrsig_batch_verify_4: min 40.0us / avg 40.0us / max 40.0us
-schnorrsig_batch_verify_5: min 39.2us / avg 39.2us / max 39.3us
-schnorrsig_batch_verify_7: min 38.4us / avg 38.5us / max 38.5us
-schnorrsig_batch_verify_9: min 38.0us / avg 38.0us / max 38.0us
-schnorrsig_batch_verify_11: min 37.7us / avg 37.7us / max 37.8us
-schnorrsig_batch_verify_14: min 37.4us / avg 37.4us / max 37.5us
-schnorrsig_batch_verify_17: min 37.3us / avg 37.3us / max 37.3us
-schnorrsig_batch_verify_21: min 37.1us / avg 37.1us / max 37.2us
-schnorrsig_batch_verify_26: min 37.0us / avg 37.0us / max 37.0us
-schnorrsig_batch_verify_32: min 37.0us / avg 37.0us / max 37.0us
-schnorrsig_batch_verify_39: min 36.9us / avg 36.9us / max 36.9us
-schnorrsig_batch_verify_47: min 35.2us / avg 35.3us / max 35.3us
-schnorrsig_batch_verify_57: min 34.2us / avg 34.2us / max 34.2us
-schnorrsig_batch_verify_69: min 33.8us / avg 33.8us / max 33.9us
-schnorrsig_batch_verify_83: min 32.6us / avg 32.6us / max 32.7us
-schnorrsig_batch_verify_100: min 31.7us / avg 31.7us / max 31.7us
-schnorrsig_batch_verify_121: min 31.6us / avg 31.6us / max 31.6us
-schnorrsig_batch_verify_146: min 30.5us / avg 30.5us / max 30.5us
-schnorrsig_batch_verify_176: min 29.5us / avg 29.5us / max 29.5us
-schnorrsig_batch_verify_212: min 28.7us / avg 28.7us / max 28.7us
-schnorrsig_batch_verify_255: min 28.0us / avg 28.0us / max 28.0us
-schnorrsig_batch_verify_307: min 27.5us / avg 27.5us / max 27.5us
-schnorrsig_batch_verify_369: min 27.0us / avg 27.0us / max 27.0us
-schnorrsig_batch_verify_443: min 26.6us / avg 26.7us / max 26.7us
-schnorrsig_batch_verify_532: min 26.3us / avg 26.3us / max 26.4us
-schnorrsig_batch_verify_639: min 26.5us / avg 26.5us / max 26.5us
-schnorrsig_batch_verify_767: min 25.8us / avg 25.8us / max 25.8us
-schnorrsig_batch_verify_921: min 25.2us / avg 25.2us / max 25.2us
-schnorrsig_batch_verify_1106: min 24.7us / avg 24.7us / max 24.7us
-schnorrsig_batch_verify_1328: min 24.3us / avg 24.3us / max 24.3us
-schnorrsig_batch_verify_1594: min 24.0us / avg 24.0us / max 24.1us
-schnorrsig_batch_verify_1913: min 23.7us / avg 23.7us / max 23.8us
-schnorrsig_batch_verify_2296: min 23.7us / avg 23.7us / max 23.7us
-schnorrsig_batch_verify_2756: min 23.3us / avg 23.3us / max 23.3us
-schnorrsig_batch_verify_3308: min 22.9us / avg 23.0us / max 23.0us
-schnorrsig_batch_verify_3970: min 23.0us / avg 23.0us / max 23.0us
-schnorrsig_batch_verify_4765: min 22.7us / avg 22.7us / max 22.7us
-schnorrsig_batch_verify_5719: min 22.3us / avg 22.4us / max 22.4us
-schnorrsig_batch_verify_6863: min 22.1us / avg 22.1us / max 22.1us
-schnorrsig_batch_verify_8236: min 22.0us / avg 22.0us / max 22.0us
-schnorrsig_batch_verify_9884: min 21.7us / avg 21.7us / max 21.7us
-schnorrsig_batch_verify_11861: min 21.4us / avg 21.5us / max 21.5us
-schnorrsig_batch_verify_14234: min 21.2us / avg 21.2us / max 21.3us
-schnorrsig_batch_verify_17081: min 21.1us / avg 21.1us / max 21.1us
-schnorrsig_batch_verify_20498: min 20.9us / avg 21.0us / max 21.0us
-schnorrsig_batch_verify_24598: min 20.8us / avg 20.9us / max 20.9us
-schnorrsig_batch_verify_29518: min 20.7us / avg 20.7us / max 20.8us
-schnorrsig_batch_verify_35422: min 20.7us / avg 20.7us / max 20.7us
-schnorrsig_batch_verify_42507: min 20.6us / avg 20.6us / max 20.6us
-schnorrsig_batch_verify_51009: min 20.5us / avg 20.5us / max 20.6us
-schnorrsig_batch_verify_61211: min 20.5us / avg 20.5us / max 20.5us
-schnorrsig_batch_verify_73454: min 20.4us / avg 20.4us / max 20.4us
-schnorrsig_batch_verify_88145: min 20.4us / avg 20.4us / max 20.4us
-schnorrsig_batch_verify_105775: min 20.4us / avg 20.4us / max 20.4us
-schnorrsig_batch_verify_126931: min 20.3us / avg 20.4us / max 20.4us
-schnorrsig_batch_verify_152318: min 20.3us / avg 20.3us / max 20.3us
-schnorrsig_batch_verify_182782: min 20.3us / avg 20.3us / max 20.3us
-schnorrsig_batch_verify_219339: min 20.3us / avg 20.3us / max 20.4us
-schnorrsig_batch_verify_263207: min 20.3us / avg 20.3us / max 20.4us
-schnorrsig_batch_verify_315849: min 20.3us / avg 20.3us / max 20.3us
-schnorrsig_batch_verify_379019: min 20.3us / avg 20.3us / max 20.4us
-schnorrsig_batch_verify_454823: min 20.3us / avg 20.3us / max 20.4us
+schnorrsig_sign: min 24.3us / avg 24.3us / max 24.4us
+schnorrsig_verify: min 41.9us / avg 42.0us / max 42.0us
+schnorrsig_batch_verify_1: min 50.0us / avg 50.1us / max 50.1us
+schnorrsig_batch_verify_2: min 42.1us / avg 42.1us / max 42.1us
+schnorrsig_batch_verify_3: min 39.3us / avg 39.3us / max 39.4us
+schnorrsig_batch_verify_4: min 38.0us / avg 38.0us / max 38.1us
+schnorrsig_batch_verify_5: min 37.2us / avg 37.2us / max 37.2us
+schnorrsig_batch_verify_7: min 36.2us / avg 36.2us / max 36.3us
+schnorrsig_batch_verify_9: min 35.6us / avg 35.7us / max 35.7us
+schnorrsig_batch_verify_11: min 35.3us / avg 35.4us / max 35.4us
+schnorrsig_batch_verify_14: min 35.0us / avg 35.0us / max 35.0us
+schnorrsig_batch_verify_17: min 34.7us / avg 34.7us / max 34.8us
+schnorrsig_batch_verify_21: min 34.5us / avg 34.6us / max 34.6us
+schnorrsig_batch_verify_26: min 34.4us / avg 34.4us / max 34.4us
+schnorrsig_batch_verify_32: min 34.3us / avg 34.3us / max 34.3us
+schnorrsig_batch_verify_39: min 34.2us / avg 34.2us / max 34.2us
+schnorrsig_batch_verify_47: min 33.1us / avg 33.1us / max 33.2us
+schnorrsig_batch_verify_57: min 32.1us / avg 32.1us / max 32.1us
+schnorrsig_batch_verify_69: min 32.0us / avg 32.0us / max 32.0us
+schnorrsig_batch_verify_83: min 30.8us / avg 30.8us / max 30.8us
+schnorrsig_batch_verify_100: min 29.8us / avg 29.8us / max 29.8us
+schnorrsig_batch_verify_121: min 30.0us / avg 30.0us / max 30.0us
+schnorrsig_batch_verify_146: min 28.8us / avg 28.8us / max 28.9us
+schnorrsig_batch_verify_176: min 27.9us / avg 27.9us / max 27.9us
+schnorrsig_batch_verify_212: min 27.1us / avg 27.1us / max 27.1us
+schnorrsig_batch_verify_255: min 26.4us / avg 26.4us / max 26.5us
+schnorrsig_batch_verify_307: min 25.8us / avg 25.8us / max 25.9us
+schnorrsig_batch_verify_369: min 25.4us / avg 25.4us / max 25.4us
+schnorrsig_batch_verify_443: min 25.0us / avg 25.0us / max 25.0us
+schnorrsig_batch_verify_532: min 24.7us / avg 24.7us / max 24.8us
+schnorrsig_batch_verify_639: min 25.2us / avg 25.2us / max 25.2us
+schnorrsig_batch_verify_767: min 24.5us / avg 24.5us / max 24.5us
+schnorrsig_batch_verify_921: min 23.9us / avg 23.9us / max 23.9us
+schnorrsig_batch_verify_1106: min 23.4us / avg 23.4us / max 23.4us
+schnorrsig_batch_verify_1328: min 23.0us / avg 23.1us / max 23.1us
+schnorrsig_batch_verify_1594: min 22.7us / avg 22.7us / max 22.7us
+schnorrsig_batch_verify_1913: min 22.3us / avg 22.4us / max 22.4us
+schnorrsig_batch_verify_2296: min 22.4us / avg 22.4us / max 22.5us
+schnorrsig_batch_verify_2756: min 22.1us / avg 22.1us / max 22.1us
+schnorrsig_batch_verify_3308: min 21.8us / avg 21.8us / max 21.8us
+schnorrsig_batch_verify_3970: min 21.9us / avg 21.9us / max 21.9us
+schnorrsig_batch_verify_4765: min 21.5us / avg 21.6us / max 21.6us
+schnorrsig_batch_verify_5719: min 21.2us / avg 21.2us / max 21.2us
+schnorrsig_batch_verify_6863: min 21.0us / avg 21.0us / max 21.0us
+schnorrsig_batch_verify_8236: min 21.0us / avg 21.0us / max 21.0us
+schnorrsig_batch_verify_9884: min 20.7us / avg 20.7us / max 20.7us
+schnorrsig_batch_verify_11861: min 20.5us / avg 20.5us / max 20.5us
+schnorrsig_batch_verify_14234: min 20.2us / avg 20.3us / max 20.3us
+schnorrsig_batch_verify_17081: min 20.1us / avg 20.1us / max 20.1us
+schnorrsig_batch_verify_20498: min 20.0us / avg 20.0us / max 20.0us
+schnorrsig_batch_verify_24598: min 19.8us / avg 19.8us / max 19.8us
+schnorrsig_batch_verify_29518: min 19.7us / avg 19.7us / max 19.7us
+schnorrsig_batch_verify_35422: min 19.6us / avg 19.6us / max 19.6us
+schnorrsig_batch_verify_42507: min 19.6us / avg 19.6us / max 19.6us
+schnorrsig_batch_verify_51009: min 19.5us / avg 19.5us / max 19.6us
+schnorrsig_batch_verify_61211: min 19.5us / avg 19.5us / max 19.5us
+schnorrsig_batch_verify_73454: min 19.4us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_88145: min 19.4us / avg 19.5us / max 19.5us
+schnorrsig_batch_verify_105775: min 19.4us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_126931: min 19.3us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_152318: min 19.3us / avg 19.3us / max 19.3us
+schnorrsig_batch_verify_182782: min 19.3us / avg 19.3us / max 19.3us
+schnorrsig_batch_verify_219339: min 19.3us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_263207: min 19.3us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_315849: min 19.3us / avg 19.3us / max 19.4us
+schnorrsig_batch_verify_379019: min 19.3us / avg 19.4us / max 19.4us
+schnorrsig_batch_verify_454823: min 19.3us / avg 19.3us / max 19.4us

doc/speedup-batch/bench_output.txt.log

@@ -1,4 +1,4 @@
-HEAD: 1e850ba7
+HEAD: 2d843581
 checking build system type... x86_64-pc-linux-gnu
 checking host system type... x86_64-pc-linux-gnu
 checking for a BSD-compatible install... /usr/bin/install -c

doc/speedup-batch/speedup-batch.png

@@ -265,7 +265,7 @@ static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *s
          * (-randomizer_cache[1], R2)
          * (-randomizer_cache[1]*e2, P2) */
         secp256k1_scalar_chacha20(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4);
-        secp256k1_scalar_split_128(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], &ecmult_context->randomizer_cache[1]);
+        secp256k1_scalar_split_128_randomizer(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], &ecmult_context->randomizer_cache[1]);
     }
 
     /* R */
@@ -368,7 +368,7 @@ static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned
         secp256k1_scalar term;
         if (i % 2 == 1) {
             secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2);
-            secp256k1_scalar_split_128(&randomizer_cache[0], &randomizer_cache[1], &randomizer_cache[1]);
+            secp256k1_scalar_split_128_randomizer(&randomizer_cache[0], &randomizer_cache[1], &randomizer_cache[1]);
         }
 
         secp256k1_scalar_set_b32(&term, &sig[i][32], &overflow);

src/modules/schnorrsig/main_impl.h

@@ -105,4 +105,7 @@ static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a
 /** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */
 static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx);
 
+/* Splits to a scalar into two scalars in [-2^127, 2^127-1] */
+static void secp256k1_scalar_split_128_randomizer(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
+
 #endif /* SECP256K1_SCALAR_H */

src/scalar.h

@@ -294,4 +294,13 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
 #endif /* VERIFY */
 #endif /* !defined(EXHAUSTIVE_TEST_ORDER) */
 
+static void secp256k1_scalar_split_128_randomizer(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    /* 2^127 */
+    secp256k1_scalar t = SECP256K1_SCALAR_CONST(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x80000000, 0x00000000, 0x00000000, 0x00000000);
+    secp256k1_scalar_negate(&t, &t);
+    secp256k1_scalar_split_128(r1, r2, k);
+    secp256k1_scalar_add(r1, r1, &t);
+    secp256k1_scalar_add(r2, r2, &t);
+}
+
 #endif /* SECP256K1_SCALAR_IMPL_H */