batch, ecmult: Add batch_verify API and refactor strauss_batch

This commit refactors _ecmult_strauss_batch and adds _batch_verify API.

The current _ecmult_strauss_batch only works on empty scratch space. To
make _batch_verify work, we need _ecmult_strauss_batch to support a scratch
space pre-filled with scalars and points. So, it was refactored to do
exactly that.

The _batch_verify API always uses the Strauss algorithm. It doesn't switch
to Pippenger (unlike _ecmult_multi_var). _ecmult_pippenger_batch represents
points as secp256k1_ge whereas _ecmult_strauss_batch represents points as
secp256k1_gej. This makes supporting both Pippenger and Strauss difficult
(at least with the current batch object design). Hence, _batch_verify only
supports Strauss for simplicity.

Author: siv2r

include/secp256k1_batch.h

@@ -63,6 +63,21 @@ SECP256K1_API void secp256k1_batch_destroy(
     secp256k1_batch* batch
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
 
+/** Verify the set of schnorr signatures or tweaked pubkeys present in the secp256k1_batch.
+ *
+ *  Returns: 1: every schnorrsig/tweak (in batch) is valid
+ *           0: atleaset one of the schnorrsig/tweak (in batch) is invalid
+ *
+ *  In particular, returns 1 if the batch object is empty (does not contain any schnorrsigs/tweaks).
+ *
+ *  Args:    ctx: a secp256k1 context object (can be initialized for none).
+ *         batch: a secp256k1 batch object that contains a set of schnorrsigs/tweaks.
+ */
+SECP256K1_API int secp256k1_batch_verify(
+    const secp256k1_context *ctx,
+    secp256k1_batch *batch
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
 #ifdef __cplusplus
 }
 #endif

src/ecmult_impl.h

@@ -347,33 +347,58 @@ static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const sec
     secp256k1_ecmult_strauss_wnaf(&state, r, 1, a, na, ng);
 }
 
-static size_t secp256k1_strauss_scratch_size(size_t n_points) {
-    static const size_t point_size = (sizeof(secp256k1_ge) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
-    return n_points*point_size;
+/** Allocate strauss state on the scratch space */
+static int secp256k1_strauss_scratch_alloc_state(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, struct secp256k1_strauss_state *state, size_t n_points) {
+    const size_t scratch_checkpoint = secp256k1_scratch_checkpoint(error_callback, scratch);
+
+    /* We allocate three objects on the scratch space. If these allocations
+     * change, make sure to check if this affects STRAUSS_SCRATCH_OBJECTS
+     * constant and strauss_scratch_size. */
+    state->aux = (secp256k1_fe*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_fe));
+    state->pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
+    state->ps = (struct secp256k1_strauss_point_state*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(struct secp256k1_strauss_point_state));
+
+    if (state->aux == NULL || state->pre_a == NULL || state->ps == NULL) {
+        secp256k1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint);
+        return 0;
+    }
+    return 1;
 }
 
-static int secp256k1_ecmult_strauss_batch(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) {
-    secp256k1_gej* points;
-    secp256k1_scalar* scalars;
+/** Run ecmult_strauss_wnaf on the given points and scalars */
+static int secp256k1_ecmult_strauss_batch_internal(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, secp256k1_scalar *scalars, secp256k1_gej *points, const secp256k1_scalar *inp_g_sc, size_t n_points) {
     struct secp256k1_strauss_state state;
-    size_t i;
     const size_t scratch_checkpoint = secp256k1_scratch_checkpoint(error_callback, scratch);
 
     secp256k1_gej_set_infinity(r);
     if (inp_g_sc == NULL && n_points == 0) {
         return 1;
     }
 
-    /* We allocate STRAUSS_SCRATCH_OBJECTS objects on the scratch space. If these
-     * allocations change, make sure to update the STRAUSS_SCRATCH_OBJECTS
-     * constant and strauss_scratch_size accordingly. */
+    if(!secp256k1_strauss_scratch_alloc_state(error_callback, scratch, &state, n_points)) {
+        return 0;
+    }
+
+    secp256k1_ecmult_strauss_wnaf(&state, r, n_points, points, scalars, inp_g_sc);
+    secp256k1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint);
+    return 1;
+}
+
+/** Run ecmult_strauss_wnaf on the given points and scalars. Returns 0 if the
+ *  scratch space is empty. `n_points` number of scalars and points are
+ *  extracted from `cbdata` using `cb` and stored on the scratch space.
+ */
+static int secp256k1_ecmult_strauss_batch(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) {
+    secp256k1_gej* points;
+    secp256k1_scalar* scalars;
+    size_t i;
+    const size_t scratch_checkpoint = secp256k1_scratch_checkpoint(error_callback, scratch);
+    /* We allocate STRAUSS_SCRATCH_OBJECTS objects on the scratch space in
+     * total. If these allocations change, make sure to update the
+     * STRAUSS_SCRATCH_OBJECTS constant and strauss_scratch_size accordingly. */
     points = (secp256k1_gej*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(secp256k1_gej));
     scalars = (secp256k1_scalar*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(secp256k1_scalar));
-    state.aux = (secp256k1_fe*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_fe));
-    state.pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
-    state.ps = (struct secp256k1_strauss_point_state*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(struct secp256k1_strauss_point_state));
-
-    if (points == NULL || scalars == NULL || state.aux == NULL || state.pre_a == NULL || state.ps == NULL) {
+    if (points == NULL || scalars == NULL) {
         secp256k1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint);
         return 0;
     }
@@ -386,20 +411,30 @@ static int secp256k1_ecmult_strauss_batch(const secp256k1_callback* error_callba
         }
         secp256k1_gej_set_ge(&points[i], &point);
     }
-    secp256k1_ecmult_strauss_wnaf(&state, r, n_points, points, scalars, inp_g_sc);
+
+    secp256k1_ecmult_strauss_batch_internal(error_callback, scratch, r, scalars, points, inp_g_sc, n_points);
     secp256k1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint);
     return 1;
 }
 
-/* Wrapper for secp256k1_ecmult_multi_func interface */
-static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n) {
-    return secp256k1_ecmult_strauss_batch(error_callback, scratch, r, inp_g_sc, cb, cbdata, n, 0);
+/** Return the scratch size that is allocated by a call to strauss_batch
+ * (ignoring padding required for alignment). */
+static size_t secp256k1_strauss_scratch_size(size_t n_points) {
+    static const size_t point_size = (sizeof(secp256k1_ge) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
+    return n_points*point_size;
 }
 
+/** Return the maximum number of points that can be provided to strauss_batch
+ *  with a given scratch space. */
 static size_t secp256k1_strauss_max_points(const secp256k1_callback* error_callback, secp256k1_scratch *scratch) {
     return secp256k1_scratch_max_allocation(error_callback, scratch, STRAUSS_SCRATCH_OBJECTS) / secp256k1_strauss_scratch_size(1);
 }
 
+/* Wrapper for secp256k1_ecmult_multi_func interface */
+static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n) {
+    return secp256k1_ecmult_strauss_batch(error_callback, scratch, r, inp_g_sc, cb, cbdata, n, 0);
+}
+
 /** Convert a number to WNAF notation.
  *  The number becomes represented by sum(2^{wi} * wnaf[i], i=0..WNAF_SIZE(w)+1) - return_val.
  *  It has the following guarantees:

src/modules/batch/main_impl.h

@@ -45,6 +45,14 @@ static size_t secp256k1_batch_scratch_size(int max_terms) {
     return ret;
 }
 
+/** Clears the scalar and points allocated on the batch object's scratch space */
+static void secp256k1_batch_scratch_clear(secp256k1_batch* batch) {
+    secp256k1_scalar_clear(&batch->sc_g);
+    /* setting the len = 0 will suffice (instead of clearing the memory)
+     * since, there are no secrets stored on the scratch space */
+    batch->len = 0;
+}
+
 /** Allocates space for `batch->capacity` number of scalars and points on batch
  *  object's scratch space */
 static int secp256k1_batch_scratch_alloc(const secp256k1_callback* error_callback, secp256k1_batch* batch) {
@@ -138,4 +146,38 @@ void secp256k1_batch_destroy(const secp256k1_context *ctx, secp256k1_batch *batc
     }
 }
 
+/** verifies the inputs (schnorrsig or tweak_check) by performing multi-scalar point
+ *  multiplication on the scalars (`batch->scalars`) and points (`batch->points`)
+ *  present in the batch. Uses `secp256k1_ecmult_strauss_batch_internal` to perform
+ *  the multi-multiplication.
+ *
+ * Fails if:
+ * 0 != -(s1 + a2*s2 + ... + au*su)G
+ *      + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu.
+ */
+int secp256k1_batch_verify(const secp256k1_context *ctx, secp256k1_batch *batch) {
+    secp256k1_gej resj;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(batch != NULL);
+
+    if(batch->result == 0) {
+        return 0;
+    }
+
+    if (batch->len > 0) {
+        int strauss_ret = secp256k1_ecmult_strauss_batch_internal(&ctx->error_callback, batch->data, &resj, batch->scalars, batch->points, &batch->sc_g, batch->len);
+        int mid_res = secp256k1_gej_is_infinity(&resj);
+
+        /* `_strauss_batch_internal` should not fail due to insufficient memory.
+         * `batch_create` will allocate memeory needed by `_strauss_batch_internal`. */
+        VERIFY_CHECK(strauss_ret != 0);
+
+        batch->result = batch->result && mid_res;
+        secp256k1_batch_scratch_clear(batch);
+    }
+
+    return batch->result;
+}
+
 #endif /* SECP256K1_MODULE_BATCH_MAIN_H */