New algorithms for batch verification of standard ECDSA signatures

Abstract

In this paper, several algorithms for batch verification of ECDSA signatures are studied. The first of these algorithms is based upon the naive idea of taking square roots in the underlying field. In order to improve the efficiency beyond what can be achieved by the naive algorithm, two new algorithms are proposed which replace square-root computations by symbolic manipulations. Experiments carried out on NIST prime curves demonstrate a maximum speedup of above six over individual verification if all the signatures in the batch belong to the same signer, and a maximum speedup of about two if the signatures in the batch belong to different signers, both achieved by a fast variant of the second symbolic-manipulation algorithm. In terms of security, all the studied algorithms are equivalent to standard ECDSA* batch verification. These algorithms are practical only for small (\({\le }8\)) batch sizes. The algorithms are also ported to the NIST Koblitz curves defined over fields of characteristic 2. This appears to be the first reported study on the batch verification of standard ECDSA signatures.

Appendices

Appendix A: Properties of \(R_x\) and \(R_y\)

Theorem 1

\(R_x\) consists of only even-degree monomials, and \(R_y\) consists of only odd-degree monomials in the variables \(y_1,y_2,\ldots ,y_t\).

Proof

We proceed by induction on the batch size \(t\ge 1\). If \(t=1\) (this amounts to individual verification), we have \(R_x=r_1\) and \(R_y=y_1\), for which the theorem evidently holds.

So assume that \(t\ge 2\). We compute \(R=\sum _{i=1}^tR_i\) as \(R'+R''\) with \(R'=\sum _{i=1}^{\tau }R_i\) and \(R''=\sum _{i=\tau +1}^tR_i\) for some \(\tau \) in the range \(1\le \tau \le t-1\). Let \(R'=(R'_x,R'_y)\) and \(R''=(R''_x,R''_y)\). The inductive assumption is that all non-zero terms of \(R'_x\) and \(R''_x\) are of even degrees (in \(y_1,\ldots ,y_\tau \) and \(y_{\tau +1},\ldots ,y_t\), respectively), and all non-zero terms of \(R'_y\) and \(R''_y\) are of odd degrees.

We first symbolically compute \(\lambda =(R''_y-R'_y)/(R''_x-R'_x)\) as a rational function. Clearing the variables \(y_i\) from the denominator multiplies both the numerator and the denominator of \(\lambda \) by polynomials of non-zero terms having even degrees. Every substitution of \(y_i^2\) by the field element \(r_i^3+ar_i+b\) reduces the \(y_i\)-degree of certain terms by \(2\), so the parity of the degrees in these terms is not altered. Finally, \(\lambda \) becomes a polynomial with each non-zero term having odd degree. But then, \(R_x=\lambda ^2-R'_x-R''_x\) is a polynomial with each non-zero term having even degree, whereas \(R_y=\lambda (R'_x-R_x)-R'_y\) is a polynomial with each non-zero term having odd degree. Further substitutions of \(y_i^2\) by \(r_i^3+ar_i+b\) to simplify \(R_x\) and \(R_y\) preserve these degree properties. \(\bullet \)

Appendix B: Derivation of \(\delta \)

In order to compute the number of roots \((r_1,r_2,\ldots ,r_t)\) of \(\det M=0\), we treat \(r_1,r_2,\ldots ,r_t\) as symbols, and need to calculate an upper bound on the degree \(\delta \) of each individual \(r_i\). Without loss of generality, we compute an upper bound on the degree \(\delta \) of \(r_1\) in \(\det M=0\). To this effect, we first look at the expressions for \(R_x\) and \(R_y\) which are elements of \(\mathbb {F}_q(r_1,r_2,\ldots ,r_t)[y_1,y_2,\ldots ,y_t]\). We can write \(R_x=g_x/h\) and \(R_y=g_y/h\), where \(g_x,g_y\) are polynomials in \(\mathbb {F}_q[r_1,r_2,\ldots ,r_t,y_1,y_2,\ldots ,y_t]\), and the common denominator \(h\) is a polynomial in \(\mathbb {F}_q[r_1,r_2,\ldots ,r_t]\). Let \(\eta _t\) denote the maximum of the \(r_1\)-degrees in \(g_x\), \(g_y\) and \(h\). We first recursively derive an upper bound for \(\eta _t\).

We compute \(R=R'+R''\) with \(R'=(R'_x,R'_y)=\sum _{i=1}^{\tau }R_i\) and \(R''=(R''_x,R''_y)=\sum _{i=\tau +1}^tR_i\), where \(\tau =\left\lceil t/2\right\rceil \). The \(r_1\)-degree of \(R'\) is \(\eta _{\tau }\), whereas the \(r_1\)-degree of \(R''\) is \(0\). The initial \(r_1\)-degree of \(\lambda =(R''_y-R'_y)/(R''_x-R'_x)\) is at most \(\eta _\tau \). Clearing \(y_1\) from the denominator of \(\lambda \) changes the \(r_1\)-degree to \(2\eta _\tau +3\). Subsequent eliminations of \(y_2,\ldots ,y_t\) finally reduces \(\lambda \) with a \(y\)-free denominator. The maximum \(r_1\)-degree of this expression for \(\lambda \) is \(2^{t-1}(2\eta _\tau +3)\). Therefore, \(\lambda ^2\) has \(r_1\)-degree no more than \(2^t(2\eta _\tau +3)\). Subsequent computations of \(R_x=\lambda ^2-R'_x-R''_x\) and \(R_y=\lambda (R'_x-R_x)-R'_y\) indicate that

$$\begin{aligned} \eta _t\le (2^t\!+\!2^{t-1})(2\eta _\tau \!+\!3)\!+\!2\eta _\tau \le (2^t\!+\!2^{t-1})(2\eta _\tau \!+\!3)\!+\!2\eta _{\tau } \end{aligned}$$

with \(\tau =\left\lceil t/2\right\rceil \). Solving this recurrence gives the upper bound \(\eta _t\le 2^{2t+3\left\lceil \log _2t\right\rceil +2}\).

Now, we follow a sequence of squaring and monomial multiplication to convert \(R_x=\alpha \) to a set of linear equations. If \(\Delta _i\) is the \(r_1\)-degree of the \(i\)-th equation, we have

$$\begin{aligned} \Delta _1&= \eta _t,\\ \Delta _i&\le 2\Delta _{i-1}+3\quad \hbox {for}\;\;i\ge 2. \end{aligned}$$

The recurrence relation pertains to the case of squaring. One easily checks that \(\Delta _i\le (\eta _t+3)2^{i-1}\) for all \(i\ge 1\). Finally, we consider \(\det M=0\). The \(r_1\)-degree of this equation is

$$\begin{aligned} \delta&\le \Delta _1+\Delta _2+\cdots +\Delta _{\mu }\le (\eta _t+3)(2^{\mu }-1)\\&\le \left( 2^{2t+3\left\lceil \log _2t\right\rceil +2}+3\right) \left( 2^{2^{t-1}-1}-1\right) . \end{aligned}$$

Notice that this is potentially a very loose upper bound for \(\delta \). In general, we avoid squaring. Multiplication by a monomial can increase the \(r_1\)-degree by \(3\) if the monomial contains \(y_1\). If the monomial does not contain \(y_1\), the \(r_1\)-degree does not increase at all. Nevertheless, this loose upper bound is good enough in the present context.

Appendix C: Number of roots of \(\det M=0\)

Let us write the equation \(\det M=0\) as \(D(r_1,r_2,\ldots ,r_t)=0\), where the \(r_i\)-degree of the multivariate polynomial \(D\) is \(\le \delta \) for each \(i\). We assume that \(D\) is not identically zero. We plan to show that the maximum number \(B^{(t)}\) of roots of \(D\) is \(\le t\delta q^{t-1}\). To that effect, we first write \(D\) as a polynomial in \(r_t\):

$$\begin{aligned} D(r_1,r_2,\ldots ,r_t)&= D_{\delta }(r_1,r_2,\ldots ,r_{t-1})r_t^{\delta }\\&+D_{\delta -1}(r_1,r_2,\ldots ,r_{t-1})r_t^{\delta -1}\\&+\cdots +D_{1}(r_1,r_2,\ldots ,r_{t-1})r_t\\&+D_{0}(r_1,r_2,\ldots ,r_{t-1}). \end{aligned}$$

Since \(D\) is not identically zero, at least one \(D_i\) is not identically zero. If \((r_1,r_2,\ldots ,r_{t-1})\) is a common root of each \(D_i\), appending any value of \(r_t\) gives a root of \(D\). The maximum number of common roots of \(D_0,D_1,\ldots ,D_{\delta }\) is \(B^{(t-1)}\). On the other hand, if \((r_1,r_2,\ldots ,r_{t-1})\) is not a common root of all \(D_i\), there are at most \(\delta \) values of \(r_t\) satisfying \(D(r_1,r_2,\ldots , r_t)=0\). We, therefore, have

$$\begin{aligned} B^{(t)}\le B^{(t-1)}q+(q^{t-1}-B^{(t-1)})\delta =(q-\delta )B^{(t-1)}+\delta q^{t-1}. \end{aligned}$$

(21)

Moreover, we have

$$\begin{aligned} B^{(1)}\le \delta . \end{aligned}$$

(22)

By induction on \(t\), one can show that \(B^{(t)}\le t\delta q^{t-1}\). This bound is rather tight, particularly for \(\delta \ll q\) (as it happens in our cases of interest). A polynomial \(D\) satisfying equalities in (21) and (22) can be constructed as \(D(r_1,r_2,\ldots ,r_t)=\Delta (r_1)\Delta (r_2)\cdots \Delta (r_t)\), where \(\Delta \) is a square-free univariate polynomial of degree \(\delta \), that splits over \(\mathbb {F}_q\). By the principle of inclusion and exclusion (or by explicitly solving the recurrence (21)), we obtain the total number of roots of this \(D\) as

$$\begin{aligned}&\delta tq^{t-1}-{t\atopwithdelims ()2}\delta ^2q^{t-1}+{t\atopwithdelims ()3}\delta ^3q^{t-3}-\cdots +(-1)^{t-1}\delta ^t\\&\quad =q^t-(q-\delta )^t\\&\quad =\delta (q^{t-1}\!+\!(q\!-\!\delta )q^{t-2}\!+\!(q\!-\!\delta )^2q^{t-3}\!+\!\cdots \!+\!(q\!-\!\delta )^{t-1}). \end{aligned}$$

If \(\delta \ll q\), this count is very close to \(t\delta q^{t-1}\). It remains questionable whether our equation \(\det M=0\) actually encounters this worst-case situation, but this does not matter, at least in a probabilistic sense.

Appendix D: Derivation of the probabilities \(p_i\)

Like Algorithm S1, we first symbolically compute \(R=\sum _{i=1}^tR_i\), and arrive at Eqs. (10) and (11). Then, we set \(\phi =R_x-\alpha \) in step 9 of Algorithm S2. If \(\phi \) is identically zero, then for any values of \(y_1,y_2,\ldots ,y_t\), batch verification succeeds without using the Eqs. (4) in the elimination phase at all. This situation occurs if all the coefficients of all the monomials (and also the constant term) in \(\phi \) are zero. We name the monomials (of even total degrees, including that of degree zero) as \(z_1,z_2,\ldots ,z_{\mu +1}\), where \(\mu =2^{t-1}-1\). We write this situation as

$$\begin{aligned} \rho _{1}z_1+\rho _{2}z_2+\cdots +\rho _{\mu +1}z_{\mu +1}=0. \end{aligned}$$

(23)

with each \(\rho _i=0\). For the moment, we treat the \(x\)-coordinates \(r_1,r_2,\ldots ,r_t\) as symbols. Each \(\rho _i\) in Eq. (23) is a polynomial in \(\mathbb {F}_q[r_1,r_2,\ldots ,r_t]\). Let \(\delta '\) be the maximum degree of each individual \(r_j\) in each \(\rho _i\). As already derived in Appendix B, \(\delta '\) is bounded from above by \(\Delta _1=\eta _t\le 2^{2t+3\left\lceil \log _2t\right\rceil +2}\). If we restrict our attention to the values \(t\le 8\), we see that \(\delta '\le 2^{27}\). Let the tuple \((r_1, r_2,\ldots ,r_t)\) be a root of \(\rho _i\). As in Appendix C, we estimate that there are \(\le t\delta 'q^{t-1}\) such tuples. The total number of \(t\)-tuples over \(\mathbb {F}_q\) is \(q^t\). Therefore, a randomly chosen tuple \((r_1,r_2,\ldots ,r_t)\) is a root of \(\rho _i\) with probability \(\le t\delta ' q^{t-1}/q^t=t\delta '/q\). Now, the total number of \(\rho _i\)’s is \(\mu +1\). Therefore, the probability that a randomly chosen tuple \((r_1,r_2,\ldots ,r_t)\) over \(\mathbb {F}_q\) is a root of all the \(\rho _i\)’s is \(p_1\le (t\delta '/q)^{\mu +1}\). For \(t\le 8\), \(\delta '\le 2^{27}\) and \(q\ge 2^{160}\), we have \(p_1\le 2^{-16510}\).

Even if \(\phi \) is not identically zero at the beginning of the elimination phase, it should never become so before all of \(y_1,y_2,\ldots ,y_t\) are eliminated. Let \(p_i\) denote the probability that \(\phi \) becomes identically zero before the elimination of \(y_i\). We have calculated \(p_1\) above. Here, we calculate \(p_i\) for \(i=2,3,\ldots ,t-1\). Let \(\delta '_i\) be the total degree in all \(r_j\)’s in \(\phi \) just before the elimination of \(y_i\). We have \(\delta '_i=2\delta '_{i-1}+3\approx 2\delta '_i=2^{t-i}\delta '\). Moreover, at this point, the number of even-degree monomials in \(y_i,y_{i+1},\ldots ,y_t\) in \(\phi \) is \(2^{t-i}=(\mu +1)/2^{i-1}\). Therefore, like the expression for \(p_1\), we derive that \(p_i\le (t\delta '_i/q)^{2^{t-i}}= (t\delta '_i/q)^{\frac{\mu +1}{2^{i-1}}}\).

The probability that \(\phi \) becomes identically zero just before the elimination of \(y_i\), but never earlier, is \((1-p_1)(1-p_2)\cdots (1-p_{i-1})p_i\). Therefore, the probability that \(\phi \) becomes identically zero in any one of the \(t-1\) elimination rounds is

$$\begin{aligned} \pi \le \sum _{i=1}^{t-1}\left[ p_i\prod _{j=1}^{i-1}(1-p_j)\right] . \end{aligned}$$

For practical ranges of parameter values, all \(p_i\) are very close to zero, so we can approximate \(1-p_i\) by \(1\), and conclude that

$$\begin{aligned} \pi \approx \sum _{i=1}^{t-1}p_i. \end{aligned}$$

Moreover, \(p_{t-1}\) is the most dominating term in the above summation, so we have

$$\begin{aligned} \pi \approx \! p_{t-1}\le \!(t\delta '_{t-1}/q)^2\approx \!(t2^{t-2}\delta '/q)^2 \le \!2^{6t+8\left\lceil \log _2t\right\rceil +2}/q^2. \end{aligned}$$