Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize CheckMultiSig by using public key recovery. #15621

Open
roconnor-blockstream opened this issue Mar 18, 2019 · 3 comments
Open

Optimize CheckMultiSig by using public key recovery. #15621

roconnor-blockstream opened this issue Mar 18, 2019 · 3 comments
Labels
Brainstorming Up for grabs

Comments

@roconnor-blockstream
Copy link
Contributor

I had a recent chat with @sipa about an idea I had to reimplement the CheckMultiSig operations to use public key recovery without altering their semantics.

New new proposed implementation would proceed as follows.

  1. For each signature in a k-of-n CheckMultiSig operation, the message hash is computed (calling find-and-delete if required).
  2. For each of k signature and message hash pairs, public key recovery is run to produce a list of sets of points in Jacobin coordinates. This requires at least one modular square root operation (and very rarely two), similar in cost to a pubkey decompression, per signature. The resulting list has k sets and each set has 2 points (or very rarely 4 points).
  3. All of the recovered points are batch converted from Jacobian coordinates to affine coordinates at the cost of one modular inverse operation for the entire batch.
  4. The list of sets of recovered points are compared, in order, to the list of serialized pubkeys passed to CheckMultiSig, using a new "compare affine point to serialized pubkey" function. No pubkey decompression need be done.

The advantage of this proposed method over the current "try-and-fail" method is that the number of elliptic curve operations is now roughly proportional to k, the number of signatures, rather than n the number of pubkeys.

For non-n-of-n CheckMultiSig operations, I expect this method should be faster than the current implementation. For n-of-n CheckMultiSig operations, the proposed method is not likely to be faster than local (n signature) batch verification and certainly not faster than global batch verification (for OP_CHECKMULTISIGVERIFY).

Unfortunately, I don't have time to pursue a PR to implement this proposal at the moment, and maybe someone else would like to pick up this issue.
@elichai elichai mentioned this issue Aug 22, 2019
Closed
@prusnak
Copy link
Contributor

prusnak commented Mar 18, 2022

Is this optimization also relevant for Taproot-style multisig via OP_CHECKSIGADD? @roconnor-blockstream @sipa

@sipa
Copy link
Member

sipa commented Mar 18, 2022
edited

@prusnak No, because

  • (a) pubkey recovery is not supported by BIP340 Schnorr signatures
  • (b) there is a more powerful optimization possible by design (but not implemented yet), namely batch validation across all signatures - possibly across multiple inputs or even multiple transactions.

@prusnak
Copy link
Contributor

prusnak commented Mar 18, 2022

No, because

I suspected so, but wanted confirmation. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Brainstorming Up for grabs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@prusnak @sipa @fanquake @roconnor-blockstream