You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If any of the G1, G2 arguments in the pairing are fixed(ie the public key is static or a constant parameter in the
system) we can have up to 37% faster Miller loop.
Typically BLST is doing that for the generator G, but in consensus systems where validator keys are fixed per epoch, we might be able to precompute stuff:
useful when verifying individual sigs (precompute one part of pairing Miller loop based on individual validator keys)
useful even on batch verification - precompute some known combinations (ie against the aggregated pubKey of most dominant validators
We could build that via some LRU on common validator combinations.
FYI @benr-ml who is working on unfolding BLS batch verification for a different purpose.
kchalkias
changed the title
Optimize pairing Miller loop on known arguments (ie fixed pubkeys)
Optimize Miller loop on known arguments (ie fixed pubkeys) expected 37% boost
Mar 15, 2023
kchalkias
changed the title
Optimize Miller loop on known arguments (ie fixed pubkeys) expected 37% boost
Optimize Miller loop on fixed pubkeys - expected 37% perf boost
Mar 15, 2023
It won't help us too much in case of individual signatures, since we rarely verify those.
As for batch verification - let's first collect some statistics on whether we see common sets of public keys.
I took a closer look at the BLST api, and it only allows pre computation for the right operand, aka the input element from G2, so it won't help us with fixed public keys in min_sig mode, and, as you say @kchalkias, blst already seems to do the pre computation for the G2 generator.
If any of the G1, G2 arguments in the pairing are fixed(ie the public key is static or a constant parameter in the
system) we can have up to 37% faster Miller loop.
Typically BLST is doing that for the generator G, but in consensus systems where validator keys are fixed per epoch, we might be able to precompute stuff:
We could build that via some LRU on common validator combinations.
FYI @benr-ml who is working on unfolding BLS batch verification for a different purpose.
Related paper: https://eprint.iacr.org/2010/342
The text was updated successfully, but these errors were encountered: