Anthony Towns [ARCHIVE] on Nostr: 📅 Original date posted:2018-08-06 📝 Original message:On Sun, Aug 05, 2018 at ...
📅 Original date posted:2018-08-06
📝 Original message:On Sun, Aug 05, 2018 at 10:33:52AM -0400, Russell O'Connor via bitcoin-dev wrote:
> In light of this, I revise my proposed change to make the verification
> equation
>
> R + sG + eP = 0.
Isn't the verification equation "R + s(-G) + eP = 0" equally good, then,
since -G is a constant? (ie, at worst it's a matter of optimising the
verifier for -G as well as G)
If not, what's the actual performance impact of having to negate "s"
as part of batch verifying ~10000 signatures? It seems like it should
be trivially small to me? (scalar_negate benchmarks at 0.00359us, while
ecdsa_verify benchmarks at 66us, which I believe then reduces by a factor
of ~3 for batches of 10k schnorr sigs?)
FWIW, I'm a fan of the formulation "s = r + H(R,P,m)p" mostly because
it seems like the simplest possible way of describing the setup, and I'm
all for optimising for people being able to understand what's going on.
Cheers,
aj
📝 Original message:On Sun, Aug 05, 2018 at 10:33:52AM -0400, Russell O'Connor via bitcoin-dev wrote:
> In light of this, I revise my proposed change to make the verification
> equation
>
> R + sG + eP = 0.
Isn't the verification equation "R + s(-G) + eP = 0" equally good, then,
since -G is a constant? (ie, at worst it's a matter of optimising the
verifier for -G as well as G)
If not, what's the actual performance impact of having to negate "s"
as part of batch verifying ~10000 signatures? It seems like it should
be trivially small to me? (scalar_negate benchmarks at 0.00359us, while
ecdsa_verify benchmarks at 66us, which I believe then reduces by a factor
of ~3 for batches of 10k schnorr sigs?)
FWIW, I'm a fan of the formulation "s = r + H(R,P,m)p" mostly because
it seems like the simplest possible way of describing the setup, and I'm
all for optimising for people being able to understand what's going on.
Cheers,
aj