Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Synthetic randomness for batch verification #204

Open
real-or-random opened this issue Jun 12, 2020 · 2 comments
Open

Synthetic randomness for batch verification #204

real-or-random opened this issue Jun 12, 2020 · 2 comments

Comments

@real-or-random
Copy link

real-or-random commented Jun 12, 2020
edited
Loading

After we have switched to recommending synthetic randomness for nonces, I propose to do the same for the randomness used in batch verification. Currently we derive the randomness deterministically from the inputs to the batch verification algorithm.

Mixing in real randomness avoids that the result of the batch verification algorithm is entirely predictably to an attacker. There will be sets of signatures that contain invalid signatures but still pass batch verification. If our hash function is good, these can be found only with negligible probability, so this is not an issue per se. But adding real randomness provides defense in depth and makes this attack impossible. This also prevents attempts to exploit such an attack to split the chain between one set of nodes with some PRG X and another set of nodes with some different PRG Y.

Moreover, when I say these inputs can only found with negligible probability, then this relies on an argument that is nowhere written up properly. It appears to be true and I think I have a simple proof but as far as I know, we're to first to specify such an algorithm. Independently of this, we should add a proof sketch to a footnote. (I can do this). But even if we have this argument written up, adding real randomness is defense in depth, and bring us back to "standard" batch verification, where the coefficients are random and which has been looked at often enough,.

I don't any of these points is a must-have. But given that adding real randomness is so cheap (and we can make it optional), I think we should do it. It's also easy to write in the BIP because we have some text already for nonces and we can mostly refer to this.
@jonasnick jonasnick mentioned this issue Jun 18, 2020
Closed
3 tasks
@jonasnick jonasnick mentioned this issue Jul 20, 2020
Merged
@sipa
Copy link
Owner

sipa commented Jul 20, 2020

This makes sense to me.

@jonasnick
Copy link

👍

@real-or-random real-or-random mentioned this issue May 23, 2021
Closed
siv2r added a commit to siv2r/secp256k1 that referenced this issue Aug 18, 2022
@siv2r
batch: Add create and destroy APIs
2843275 
This commit adds the `_batch_create` and `_batch_destroy` APIs.

- `_batch_scratch_size` allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/master/src/bench_ecmult.c#L312
- `aux_rand16` param in `_batch_create` is used for synthetic randomness,
while generating randomizers: sipa/bips#204
siv2r added a commit to siv2r/secp256k1 that referenced this issue Aug 18, 2022
@siv2r
batch: Add create and destroy APIs
dfd4fcb 
This commit adds the `_batch_create` and `_batch_destroy` APIs.

- `_batch_scratch_size` allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312
- `aux_rand16` param in `_batch_create` is used for synthetic randomness,
while generating randomizers: sipa/bips#204
siv2r added a commit to siv2r/secp256k1 that referenced this issue Aug 20, 2022
@siv2r
batch: Add create and destroy APIs
e0dbd66 
This commit adds the _batch_create and _batch_destroy APIs.

Relevant Links:
1. _batch_scratch_size allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312.
2. aux_rand16 param in _batch_create enables synthetic randomness for
randomizer generation: sipa/bips#204.
fjahr pushed a commit to fjahr/secp256k1 that referenced this issue Oct 9, 2023
@siv2r @fjahr
batch: Add create and destroy APIs
c5ff549 
This commit adds the _batch_create and _batch_destroy APIs.

Relevant Links:
1. _batch_scratch_size allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312.
2. aux_rand16 param in _batch_create enables synthetic randomness for
randomizer generation: sipa/bips#204.
fjahr pushed a commit to fjahr/secp256k1 that referenced this issue Oct 14, 2023
@siv2r @fjahr
batch: Add create and destroy APIs
c67c32c 
This commit adds the _batch_create and _batch_destroy APIs.

Relevant Links:
1. _batch_scratch_size allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312.
2. aux_rand16 param in _batch_create enables synthetic randomness for
randomizer generation: sipa/bips#204.
fjahr pushed a commit to fjahr/secp256k1 that referenced this issue Feb 24, 2024
@siv2r @fjahr
batch: Add create and destroy APIs
871ade3 
This commit adds the _batch_create and _batch_destroy APIs.

Relevant Links:
1. _batch_scratch_size allocation formula is taken from bench ecmult:
https://github.com/bitcoin-core/secp256k1/blob/694ce8fb2d1fd8a3d641d7c33705691d41a2a860/src/bench_ecmult.c#L312.
2. aux_rand16 param in _batch_create enables synthetic randomness for
randomizer generation: sipa/bips#204.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sipa @real-or-random @jonasnick