From 88ee5d596acf1651bfcf47452facbe8791e9285e Mon Sep 17 00:00:00 2001
From: Etan Kissling <etan@status.im>
Date: Mon, 7 Aug 2023 12:54:28 +0200
Subject: [PATCH] allow subtracting from aggregate for when participation is
 high

When the aggregate public key of full participation is known,
and participation is high, it is worthwhile to subtract individual keys
from the known full participation aggregate public key.

Add a corresponding `fastAggregateVerify` overload to support that.
---
 blscurve/bls_public_exports.nim            |  2 +-
 blscurve/bls_sig_min_pubkey.nim            | 15 +++++++++++++++
 blscurve/blst/blst_min_pubkey_sig_core.nim | 11 +++++++++++
 tests/download_ef_bls12381_vectors.sh      |  0
 tests/eth2_vectors.nim                     |  7 +++++++
 5 files changed, 34 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 tests/download_ef_bls12381_vectors.sh

diff --git a/blscurve/bls_public_exports.nim b/blscurve/bls_public_exports.nim
index a39ae8e..16a457c 100644
--- a/blscurve/bls_public_exports.nim
+++ b/blscurve/bls_public_exports.nim
@@ -23,7 +23,7 @@ export
 # TODO - MIRACL implementation
 when BLS_BACKEND == BLST:
   export
-    exportUncompressed,
+    exportUncompressed, subtractAll,
     ID, recover, genSecretShare, fromUint32, add
 
 import bls_sig_min_pubkey
diff --git a/blscurve/bls_sig_min_pubkey.nim b/blscurve/bls_sig_min_pubkey.nim
index 2757a9a..053fbd9 100644
--- a/blscurve/bls_sig_min_pubkey.nim
+++ b/blscurve/bls_sig_min_pubkey.nim
@@ -256,3 +256,18 @@ func fastAggregateVerify*[T: byte|char](
   if not aggAffine.aggregateAll(publicKeys):
     return false
   return coreVerifyNoGroupCheck(aggAffine, message, signature, DST)
+
+func fastAggregateVerify*[T: byte|char](
+        fullParticipationAggregatePublicKey: PublicKey,
+        nonParticipatingPublicKeys: openArray[PublicKey],
+        message: openArray[T],
+        signature: Signature
+      ): bool =
+  ## Verify the aggregate of multiple signatures on the same message
+  ## This function is faster than AggregateVerify
+  ##
+  ## The proof-of-possession MUST be verified before calling this function.
+  ## The caller must ensure that at least one participating public key remains.
+  var aggAffine = fullParticipationAggregatePublicKey
+  aggAffine.subtractAll(nonParticipatingPublicKeys)
+  coreVerifyNoGroupCheck(aggAffine, message, signature, DST)
diff --git a/blscurve/blst/blst_min_pubkey_sig_core.nim b/blscurve/blst/blst_min_pubkey_sig_core.nim
index 4857aee..cd2633c 100644
--- a/blscurve/blst/blst_min_pubkey_sig_core.nim
+++ b/blscurve/blst/blst_min_pubkey_sig_core.nim
@@ -187,6 +187,17 @@ template genAggregatorProcedures(
     dst.finish(agg)
     return true
 
+  proc subtractAll*(dst: var BaseType, elems: openArray[BaseType]) =
+    ## Subtracts all ``elems[0..<elems.len`` from ``dst``.
+    if len(elems) == 0:
+      return
+    var agg{.noinit.}: Aggregate
+    agg.init(elems[0])
+    agg.aggregate(elems.toOpenArray(1, elems.high))
+    agg.point.`blst _ p1_or_p2 _ cneg`(cbit = 1)
+    agg.aggregate(dst)
+    dst.finish(agg)
+
 genAggregatorProcedures(AggregateSignature, Signature, p2)
 genAggregatorProcedures(AggregatePublicKey, PublicKey, p1)
 
diff --git a/tests/download_ef_bls12381_vectors.sh b/tests/download_ef_bls12381_vectors.sh
old mode 100644
new mode 100755
diff --git a/tests/eth2_vectors.nim b/tests/eth2_vectors.nim
index b3490df..c76e71d 100644
--- a/tests/eth2_vectors.nim
+++ b/tests/eth2_vectors.nim
@@ -254,6 +254,13 @@ testGen(aggregate, test):
       "   computed: " & libAggSig.toHex() & "\n" &
       "   expected: " & expectedAgg.val.toHex()
 
+    when BLS_BACKEND == BLST:
+      libAggSig.subtractAll(sigs.val.toOpenArray(1, sigs.val.high))
+      doAssert libAggSig == sigs.val[0], block:
+        "\nSubtracting all but one signature differs from expected \n" &
+        "   computed: " & libAggSig.toHex() & "\n" &
+        "   expected: " & sigs.val[0].toHex()
+
 testGen(fast_aggregate_verify, test):
   let
     expected = bool.getFrom(test, Output)