allow subtracting from aggregate for when participation is high

When the aggregate public key of full participation is known, and participation is high, it is worthwhile to subtract individual keys from the known full participation aggregate public key. Add a corresponding `fastAggregateVerify` overload to support that.
status-im · Aug 7, 2023 · 88ee5d5 · 88ee5d5
1 parent 5937eb9
commit 88ee5d5
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 1 deletion.
diff --git a/blscurve/bls_public_exports.nim b/blscurve/bls_public_exports.nim
@@ -23,7 +23,7 @@ export
 # TODO - MIRACL implementation
 when BLS_BACKEND == BLST:
   export
-    exportUncompressed,
+    exportUncompressed, subtractAll,
     ID, recover, genSecretShare, fromUint32, add
 
 import bls_sig_min_pubkey

diff --git a/blscurve/bls_sig_min_pubkey.nim b/blscurve/bls_sig_min_pubkey.nim
@@ -256,3 +256,18 @@ func fastAggregateVerify*[T: byte|char](
   if not aggAffine.aggregateAll(publicKeys):
     return false
   return coreVerifyNoGroupCheck(aggAffine, message, signature, DST)
+
+func fastAggregateVerify*[T: byte|char](
+        fullParticipationAggregatePublicKey: PublicKey,
+        nonParticipatingPublicKeys: openArray[PublicKey],
+        message: openArray[T],
+        signature: Signature
+      ): bool =
+  ## Verify the aggregate of multiple signatures on the same message
+  ## This function is faster than AggregateVerify
+  ##
+  ## The proof-of-possession MUST be verified before calling this function.
+  ## The caller must ensure that at least one participating public key remains.
+  var aggAffine = fullParticipationAggregatePublicKey
+  aggAffine.subtractAll(nonParticipatingPublicKeys)
+  coreVerifyNoGroupCheck(aggAffine, message, signature, DST)
diff --git a/blscurve/blst/blst_min_pubkey_sig_core.nim b/blscurve/blst/blst_min_pubkey_sig_core.nim
@@ -187,6 +187,17 @@ template genAggregatorProcedures(
     dst.finish(agg)
     return true
 
+  proc subtractAll*(dst: var BaseType, elems: openArray[BaseType]) =
+    ## Subtracts all ``elems[0..<elems.len`` from ``dst``.
+    if len(elems) == 0:
+      return
+    var agg{.noinit.}: Aggregate
+    agg.init(elems[0])
+    agg.aggregate(elems.toOpenArray(1, elems.high))
+    agg.point.`blst _ p1_or_p2 _ cneg`(cbit = 1)
+    agg.aggregate(dst)
+    dst.finish(agg)
+
 genAggregatorProcedures(AggregateSignature, Signature, p2)
 genAggregatorProcedures(AggregatePublicKey, PublicKey, p1)
 

diff --git a/tests/download_ef_bls12381_vectors.sh b/tests/download_ef_bls12381_vectors.sh
diff --git a/tests/eth2_vectors.nim b/tests/eth2_vectors.nim
@@ -254,6 +254,13 @@ testGen(aggregate, test):
       "   computed: " & libAggSig.toHex() & "\n" &
       "   expected: " & expectedAgg.val.toHex()
 
+    when BLS_BACKEND == BLST:
+      libAggSig.subtractAll(sigs.val.toOpenArray(1, sigs.val.high))
+      doAssert libAggSig == sigs.val[0], block:
+        "\nSubtracting all but one signature differs from expected \n" &
+        "   computed: " & libAggSig.toHex() & "\n" &
+        "   expected: " & sigs.val[0].toHex()
+
 testGen(fast_aggregate_verify, test):
   let
     expected = bool.getFrom(test, Output)