batch, extrakeys: Add benchmark for batch verify and tweak_add_check

This commit adds benchmarks for Schnorr signature batch verification,Tweaked
pubkey check batch verification, and Tweaked pubkey check (single verification).

For batch verify benchmark, the number of sigs (or checks) in the batch
varies from 1 to SECP256K1_BENCH_ITERS with a 20% increment.

Author: siv2r

src/bench.c

@@ -42,17 +42,27 @@ static void help(int default_iters) {
     printf("    ec_keygen         : EC public key generation\n");
 
 #ifdef ENABLE_MODULE_RECOVERY
-    printf("    ecdsa_recover     : ECDSA public key recovery algorithm\n");
+    printf("   ecdsa_recover            : ECDSA public key recovery algorithm\n");
 #endif
 
 #ifdef ENABLE_MODULE_ECDH
-    printf("    ecdh              : ECDH key exchange algorithm\n");
+    printf("   ecdh                     : ECDH key exchange algorithm\n");
 #endif
 
 #ifdef ENABLE_MODULE_SCHNORRSIG
-    printf("    schnorrsig        : all Schnorr signature algorithms (sign, verify)\n");
-    printf("    schnorrsig_sign   : Schnorr sigining algorithm\n");
-    printf("    schnorrsig_verify : Schnorr verification algorithm\n");
+    printf("   schnorrsig               : all Schnorr signature algorithms (sign, verify)\n");
+    printf("   schnorrsig_sign          : Schnorr sigining algorithm\n");
+    printf("   schnorrsig_verify        : Schnorr verification algorithm\n");
+# ifdef ENABLE_MODULE_BATCH
+    printf("   schnorrsig_batch_verify  : Batch verification of Schnorr signatures\n");
+# endif
+#endif
+
+#ifdef ENABLE_MODULE_EXTRAKEYS
+    printf("   tweak_add_check          : Checks if tweaked x-only pubkey is valid\n");
+# ifdef ENABLE_MODULE_BATCH
+    printf("   tweak_check_batch_verify : Batch verification of tweaked x-only pubkeys check\n");
+# endif
 #endif
 
 #ifdef ENABLE_MODULE_ELLSWIFT
@@ -157,6 +167,10 @@ static void bench_keygen_run(void *arg, int iters) {
 # include "modules/recovery/bench_impl.h"
 #endif
 
+#ifdef ENABLE_MODULE_EXTRAKEYS
+# include "modules/extrakeys/bench_impl.h"
+#endif
+
 #ifdef ENABLE_MODULE_SCHNORRSIG
 # include "modules/schnorrsig/bench_impl.h"
 #endif
@@ -179,7 +193,8 @@ int main(int argc, char** argv) {
     char* valid_args[] = {"ecdsa", "verify", "ecdsa_verify", "sign", "ecdsa_sign", "ecdh", "recover",
                          "ecdsa_recover", "schnorrsig", "schnorrsig_verify", "schnorrsig_sign", "ec",
                          "keygen", "ec_keygen", "ellswift", "encode", "ellswift_encode", "decode",
-                         "ellswift_decode", "ellswift_keygen", "ellswift_ecdh"};
+                         "ellswift_decode", "ellswift_keygen", "ellswift_ecdh",
+                         "batch_verify", "schnorrsig_batch_verify", "extrakeys", "tweak_add_check", "tweak_check_batch_verify"};
     size_t valid_args_size = sizeof(valid_args)/sizeof(valid_args[0]);
     int invalid_args = have_invalid_args(argc, argv, valid_args, valid_args_size);
 
@@ -221,6 +236,14 @@ int main(int argc, char** argv) {
     }
 #endif
 
+#ifndef ENABLE_MODULE_BATCH
+    if (have_flag(argc, argv, "batch_verify") || have_flag(argc, argv, "schnorrsig_batch_verify") || have_flag(argc, argv, "tweak_check_batch_verify")) {
+        fprintf(stderr, "./bench: Schnorr signatures module not enabled.\n");
+        fprintf(stderr, "Use ./configure --enable-module-schnorrsig.\n\n");
+        return 1;
+    }
+#endif
+
 #ifndef ENABLE_MODULE_ELLSWIFT
     if (have_flag(argc, argv, "ellswift") || have_flag(argc, argv, "ellswift_encode") || have_flag(argc, argv, "ellswift_decode") ||
         have_flag(argc, argv, "encode") || have_flag(argc, argv, "decode") || have_flag(argc, argv, "ellswift_keygen") ||
@@ -265,6 +288,11 @@ int main(int argc, char** argv) {
     run_recovery_bench(iters, argc, argv);
 #endif
 
+#ifdef ENABLE_MODULE_EXTRAKEYS
+    /* Extrakeys benchmarks */
+    run_extrakeys_bench(iters, argc, argv);
+#endif
+
 #ifdef ENABLE_MODULE_SCHNORRSIG
     /* Schnorr signature benchmarks */
     run_schnorrsig_bench(iters, argc, argv);

src/bench.h

@@ -120,7 +120,7 @@ static void run_benchmark(char *name, void (*benchmark)(void*, int), void (*setu
         sum += total;
     }
     /* ',' is used as a column delimiter */
-    printf("%-30s, ", name);
+    printf("%-35s, ", name);
     print_number(min * FP_MULT / iter);
     printf("   , ");
     print_number(((sum * FP_MULT) / count) / iter);
@@ -181,7 +181,7 @@ static void print_output_table_header_row(void) {
     char* min_str = "    Min(us)    "; /* center alignment */
     char* avg_str = "    Avg(us)    ";
     char* max_str = "    Max(us)    ";
-    printf("%-30s,%-15s,%-15s,%-15s\n", bench_str, min_str, avg_str, max_str);
+    printf("%-35s,%-15s,%-15s,%-15s\n", bench_str, min_str, avg_str, max_str);
     printf("\n");
 }
 

src/modules/extrakeys/bench_impl.h

@@ -0,0 +1,139 @@
+
+#ifndef SECP256K1_MODULE_EXTRAKEYS_BENCH_H
+#define SECP256K1_MODULE_EXTRAKEYS_BENCH_H
+
+#include "../../../include/secp256k1_extrakeys.h"
+#ifdef ENABLE_MODULE_BATCH
+# include "../../../include/secp256k1_batch.h"
+# include "../../../include/secp256k1_tweak_check_batch.h"
+#endif
+
+typedef struct {
+    secp256k1_context *ctx;
+#ifdef ENABLE_MODULE_BATCH
+    secp256k1_batch *batch;
+    /* number of tweak checks to batch verify.
+     * it varies from 1 to iters with 20% increments */
+    int n;
+#endif
+
+    const secp256k1_keypair **keypairs;
+    const unsigned char **pks;
+    const unsigned char **tweaked_pks;
+    const int **tweaked_pk_parities;
+    const unsigned char **tweaks;
+} bench_tweak_check_data;
+
+void bench_xonly_pubkey_tweak_add_check(void* arg, int iters) {
+    bench_tweak_check_data *data = (bench_tweak_check_data *)arg;
+    int i;
+
+    for (i = 0; i < iters; i++) {
+        secp256k1_xonly_pubkey pk;
+        CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pks[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add_check(data->ctx, data->tweaked_pks[i], *data->tweaked_pk_parities[i], &pk, data->tweaks[i]) == 1);
+    }
+}
+
+#ifdef ENABLE_MODULE_BATCH
+void bench_xonly_pubkey_tweak_add_check_n(void* arg, int iters) {
+    bench_tweak_check_data *data = (bench_tweak_check_data *)arg;
+    int i, j;
+
+    for (j = 0; j < iters/data->n; j++) {
+        for (i = 0; i < data->n; i++) {
+            secp256k1_xonly_pubkey pk;
+            CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pks[j+i]) == 1);
+            CHECK(secp256k1_batch_usable(data->ctx, data->batch) == 1);
+            CHECK(secp256k1_batch_add_xonlypub_tweak_check(data->ctx, data->batch, data->tweaked_pks[j+i], *data->tweaked_pk_parities[j+i], &pk, data->tweaks[j+i]) == 1);
+        }
+        CHECK(secp256k1_batch_verify(data->ctx, data->batch) == 1);
+    }
+}
+#endif
+
+void run_extrakeys_bench(int iters, int argc, char** argv) {
+    int i;
+    bench_tweak_check_data data;
+    int d = argc == 1;
+
+    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+    data.keypairs = (const secp256k1_keypair **)malloc(iters * sizeof(secp256k1_keypair *));
+    data.pks = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+    data.tweaked_pks = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+    data.tweaked_pk_parities = (const int **)malloc(iters * sizeof(int *));
+    data.tweaks = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+#ifdef ENABLE_MODULE_BATCH
+    data.batch = secp256k1_batch_create(data.ctx, iters, NULL);
+    CHECK(data.batch != NULL);
+#endif
+
+    for (i = 0; i < iters; i++) {
+        unsigned char sk[32];
+        unsigned char *tweaked_pk_char = (unsigned char *)malloc(32);
+        int *tweaked_pk_parity = (int *)malloc(sizeof(int)); /*todo: use sizeof(*twk_parity) instead?*/
+        unsigned char *tweak = (unsigned char *)malloc(32);
+        secp256k1_keypair *keypair = (secp256k1_keypair *)malloc(sizeof(*keypair));
+        unsigned char *pk_char = (unsigned char *)malloc(32);
+        secp256k1_xonly_pubkey pk;
+        secp256k1_pubkey output_pk;
+        secp256k1_xonly_pubkey output_pk_xonly;
+        tweak[0] = sk[0] = i;
+        tweak[1] = sk[1] = i >> 8;
+        tweak[2] = sk[2] = i >> 16;
+        tweak[3] = sk[3] = i >> 24;
+        memset(&tweak[4], 't', 28);
+        memset(&sk[4], 's', 28);
+
+        data.keypairs[i] = keypair;
+        data.pks[i] = pk_char;
+        data.tweaked_pks[i] = tweaked_pk_char;
+        data.tweaked_pk_parities[i] = tweaked_pk_parity;
+        data.tweaks[i] = tweak;
+
+        CHECK(secp256k1_keypair_create(data.ctx, keypair, sk));
+        CHECK(secp256k1_keypair_xonly_pub(data.ctx, &pk, NULL, keypair));
+        CHECK(secp256k1_xonly_pubkey_tweak_add(data.ctx, &output_pk, &pk, tweak));
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(data.ctx, &output_pk_xonly, tweaked_pk_parity, &output_pk));
+        CHECK(secp256k1_xonly_pubkey_serialize(data.ctx, tweaked_pk_char, &output_pk_xonly) == 1);
+        CHECK(secp256k1_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1);
+    }
+
+    if (d || have_flag(argc, argv, "extrakeys") || have_flag(argc, argv, "tweak_add_check")) run_benchmark("tweak_add_check", bench_xonly_pubkey_tweak_add_check, NULL, NULL, (void *) &data, 10, iters);
+#ifdef ENABLE_MODULE_BATCH
+    if (d || have_flag(argc, argv, "extrakeys") || have_flag(argc, argv, "batch_verify") || have_flag(argc, argv, "tweak_check_batch_verify")) {
+        for (i = 1; i <= iters; i = (int)(i*1.2 + 1)) {
+            char name[64];
+            int divisible_iters;
+            sprintf(name, "tweak_check_batch_verify_%d", (int) i);
+
+            data.n = i;
+            divisible_iters = iters - (iters % data.n);
+            run_benchmark(name, bench_xonly_pubkey_tweak_add_check_n, NULL, NULL, (void *) &data, 3, divisible_iters);
+            fflush(stdout);
+        }
+    }
+#endif
+
+    for (i = 0; i < iters; i++) {
+        free((void *)data.keypairs[i]);
+        free((void *)data.pks[i]);
+        free((void *)data.tweaked_pks[i]);
+        free((void *)data.tweaked_pk_parities[i]);
+        free((void *)data.tweaks[i]);
+    }
+
+    /* Casting to (void *) avoids a stupid warning in MSVC. */
+    free((void *)data.keypairs);
+    free((void *)data.pks);
+    free((void *)data.tweaked_pks);
+    free((void *)data.tweaked_pk_parities);
+    free((void *)data.tweaks);
+
+#ifdef ENABLE_MODULE_BATCH
+    secp256k1_batch_destroy(data.ctx, data.batch);
+#endif
+    secp256k1_context_destroy(data.ctx);
+}
+
+#endif /* SECP256K1_MODULE_EXTRAKEYS_BENCH_H */

src/modules/schnorrsig/bench_impl.h

@@ -8,12 +8,21 @@
 #define SECP256K1_MODULE_SCHNORRSIG_BENCH_H
 
 #include "../../../include/secp256k1_schnorrsig.h"
+#ifdef ENABLE_MODULE_BATCH
+# include "../../../include/secp256k1_batch.h"
+# include "../../../include/secp256k1_schnorrsig_batch.h"
+#endif
 
 #define MSGLEN 32
 
 typedef struct {
     secp256k1_context *ctx;
+#ifdef ENABLE_MODULE_BATCH
+    secp256k1_batch *batch;
+    /* number of signatures to batch verify.
+     * it varies from 1 to iters with 20% increments */
     int n;
+#endif
 
     const secp256k1_keypair **keypairs;
     const unsigned char **pk;
@@ -45,7 +54,24 @@ static void bench_schnorrsig_verify(void* arg, int iters) {
     }
 }
 
-static void run_schnorrsig_bench(int iters, int argc, char** argv) {
+#ifdef ENABLE_MODULE_BATCH
+void bench_schnorrsig_verify_n(void* arg, int iters) {
+    bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
+    int i, j;
+
+    for (j = 0; j < iters/data->n; j++) {
+        for (i = 0; i < data->n; i++) {
+            secp256k1_xonly_pubkey pk;
+            CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pk[j+i]) == 1);
+            CHECK(secp256k1_batch_usable(data->ctx, data->batch) == 1);
+            CHECK(secp256k1_batch_add_schnorrsig(data->ctx, data->batch, data->sigs[j+i], data->msgs[j+i], MSGLEN, &pk) == 1);
+        }
+        CHECK(secp256k1_batch_verify(data->ctx, data->batch) == 1);
+    }
+}
+#endif
+
+void run_schnorrsig_bench(int iters, int argc, char** argv) {
     int i;
     bench_schnorrsig_data data;
     int d = argc == 1;
@@ -55,6 +81,10 @@ static void run_schnorrsig_bench(int iters, int argc, char** argv) {
     data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
     data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
     data.sigs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+#ifdef ENABLE_MODULE_BATCH
+    data.batch = secp256k1_batch_create(data.ctx, 2*iters, NULL);
+    CHECK(data.batch != NULL);
+#endif
 
     CHECK(MSGLEN >= 4);
     for (i = 0; i < iters; i++) {
@@ -84,6 +114,20 @@ static void run_schnorrsig_bench(int iters, int argc, char** argv) {
 
     if (d || have_flag(argc, argv, "schnorrsig") || have_flag(argc, argv, "sign") || have_flag(argc, argv, "schnorrsig_sign")) run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, iters);
     if (d || have_flag(argc, argv, "schnorrsig") || have_flag(argc, argv, "verify") || have_flag(argc, argv, "schnorrsig_verify")) run_benchmark("schnorrsig_verify", bench_schnorrsig_verify, NULL, NULL, (void *) &data, 10, iters);
+#ifdef ENABLE_MODULE_BATCH
+    if (d || have_flag(argc, argv, "schnorrsig") || have_flag(argc, argv, "batch_verify") || have_flag(argc, argv, "schnorrsig_batch_verify")) {
+        for (i = 1; i <= iters; i = (int)(i*1.2 + 1)) {
+            char name[64];
+            int divisible_iters;
+            sprintf(name, "schnorrsig_batch_verify_%d", (int) i);
+
+            data.n = i;
+            divisible_iters = iters - (iters % data.n);
+            run_benchmark(name, bench_schnorrsig_verify_n, NULL, NULL, (void *) &data, 3, divisible_iters);
+            fflush(stdout);
+        }
+    }
+#endif
 
     for (i = 0; i < iters; i++) {
         free((void *)data.keypairs[i]);
@@ -98,6 +142,9 @@ static void run_schnorrsig_bench(int iters, int argc, char** argv) {
     free((void *)data.msgs);
     free((void *)data.sigs);
 
+#ifdef ENABLE_MODULE_BATCH
+    secp256k1_batch_destroy(data.ctx, data.batch);
+#endif
     secp256k1_context_destroy(data.ctx);
 }