bip-340: recreate batch verify speedup graph w/ latest libsecp256k1

bip-0340.mediawiki

@@ -58,7 +58,7 @@ encodings and operations.
 # Signatures are pairs ''(e, s)'' that satisfy ''e = hash(s⋅G - e⋅P || m)''. This variant avoids minor complexity introduced by the encoding of the point ''R'' in the signature (see paragraphs "Encoding R and public key point P" and "Implicit Y coordinates" further below in this subsection). Moreover, revealing ''e'' instead of ''R'' allows for potentially shorter signatures: Whereas an encoding of ''R'' inherently needs about 32 bytes, the hash ''e'' can be tuned to be shorter than 32 bytes, and [http://www.neven.org/papers/schnorr.pdf a short hash of only 16 bytes suffices to provide SUF-CMA security at the target security level of 128 bits]. However, a major drawback of this optimization is that finding collisions in a short hash function is easy. This complicates the implementation of secure signing protocols in scenarios in which a group of mutually distrusting signers work together to produce a single joint signature (see Applications below). In these scenarios, which are not captured by the SUF-CMA model due its assumption of a single honest signer, a promising attack strategy for malicious co-signers is to find a collision in the hash function in order to obtain a valid signature on a message that an honest co-signer did not intend to sign.
 # Signatures are pairs ''(R, s)'' that satisfy ''s⋅G = R + hash(R || m)⋅P''. This supports batch verification, as there are no elliptic curve operations inside the hashes. Batch verification enables significant speedups.
 
-[[File:bip-0340/speedup-batch.png|center|frame|This graph shows the ratio between the time it takes to verify ''n'' signatures individually and to verify a batch of ''n'' signatures. This ratio goes up logarithmically with the number of signatures, or in other words: the total time to verify ''n'' signatures grows with ''O(n / log n)''.]]
+[[File:bip-0340/speedup-batch/speedup-batch.png|center|frame|This graph<ref>The Makefile to create this graph can be found [[bip-0340/speedup-batch/Makefile|here]].</ref> shows the ratio between the time it takes to verify ''n'' signatures individually and to verify a batch of ''n'' signatures. This ratio goes up logarithmically with the number of signatures, or in other words: the total time to verify ''n'' signatures grows with ''O(n / log n)''.]]
 
 Since we would like to avoid the fragility that comes with short hashes, the ''e'' variant does not provide significant advantages. We choose the ''R''-option, which supports batch verification. 
 

bip-0340/speedup-batch/Makefile

@@ -0,0 +1,11 @@
+bench_output.txt: bench.sh
+	SECP256K1_BENCH_ITERS=100000 ./bench.sh bench_output.txt
+
+batch.dat: bench_output.txt
+	cat bench_output.txt | grep -v "schnorrsig_batch_verify_1:" | gawk 'match($$0, /schnorrsig_batch_verify_(.*):.*avg (.*)us /, a) {print a[1] " " a[2]}' > batch.dat
+
+single.dat: bench_output.txt
+	cat bench_output.txt | awk 'match($$0, /schnorrsig_verify:.*avg (.*)us /, a) {print a[1]}' > single.dat
+
+speedup-batch.png: batch.dat single.dat plot.p
+	gnuplot plot.p

bip-0340/speedup-batch/bench.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+output_file=$1
+cur_dir=$(pwd)
+temp_dir=$(mktemp -d)
+trap 'rm -rf "$temp_dir"' EXIT
+
+cd $temp_dir
+git clone [email protected]:jonasnick/secp256k1.git
+cd secp256k1
+git checkout fd34bfdf06db272f6a435d68de6eb9385d1cec52
+./autogen.sh
+./configure --enable-experimental --enable-module-schnorrsig
+make -j
+./bench_schnorrsig > "$cur_dir/$output_file"

bip-0340/speedup-batch/bench_output.txt

@@ -0,0 +1,19 @@
+schnorrsig_sign: min 25.7us / avg 25.7us / max 25.8us
+schnorrsig_verify: min 43.0us / avg 44.1us / max 44.9us
+schnorrsig_batch_verify_1: min 49.4us / avg 49.7us / max 50.0us
+schnorrsig_batch_verify_2: min 45.4us / avg 45.5us / max 45.6us
+schnorrsig_batch_verify_4: min 41.8us / avg 42.2us / max 42.4us
+schnorrsig_batch_verify_8: min 40.7us / avg 40.7us / max 40.8us
+schnorrsig_batch_verify_16: min 40.3us / avg 40.8us / max 41.0us
+schnorrsig_batch_verify_32: min 40.3us / avg 40.5us / max 40.7us
+schnorrsig_batch_verify_64: min 37.7us / avg 38.0us / max 38.1us
+schnorrsig_batch_verify_128: min 34.1us / avg 34.1us / max 34.2us
+schnorrsig_batch_verify_256: min 31.1us / avg 31.5us / max 31.6us
+schnorrsig_batch_verify_512: min 29.9us / avg 30.0us / max 30.0us
+schnorrsig_batch_verify_1024: min 28.0us / avg 28.0us / max 28.0us
+schnorrsig_batch_verify_2048: min 26.1us / avg 26.4us / max 26.7us
+schnorrsig_batch_verify_4096: min 25.0us / avg 25.1us / max 25.1us
+schnorrsig_batch_verify_8192: min 25.1us / avg 25.4us / max 25.6us
+schnorrsig_batch_verify_16384: min 25.2us / avg 25.2us / max 25.2us
+schnorrsig_batch_verify_32768: min 24.4us / avg 24.6us / max 24.8us
+schnorrsig_batch_verify_65536: min 24.4us / avg 24.4us / max 24.4us

bip-0340/speedup-batch/plot.p

@@ -0,0 +1,37 @@
+set style line 80 lt rgb "#808080"
+set style line 81 lt 0
+set style line 81 lt rgb "#808080"
+set grid back linestyle 81
+set border 3 back linestyle 80
+set xtics nomirror
+set ytics nomirror
+set style line 1 lt rgb "#A00000" lw 2 pt 1
+set style line 2 lt rgb "#00A000" lw 2 pt 6
+set style line 3 lt rgb "#5060D0" lw 2 pt 2
+set style line 4 lt rgb "#F25900" lw 2 pt 9
+set key bottom right
+set autoscale
+unset log
+unset label
+set xtic auto
+set ytic auto
+set title "Batch signature verification in libsecp256k1"
+set xlabel "Number of signatures (logarithmic)"
+set ylabel "Verification time per signature in us"
+set grid
+set logscale x
+set mxtics 10
+
+single_val=system("cat single.dat")
+f(x) = a + c*log(x)
+fit f(x) "batch.dat" using 1:(single_val/$2) via a, c
+# only plot the fitted line for x >= 2
+g(x)=((x>=2) ? f(x) : 1/0)
+set xrange [1.1:]
+set xtics add ("2" 2)
+set yrange [0.9:]
+set ytics -1,0.1,3
+set ylabel "Speedup over single verification"
+set term png size 800,600
+set output 'speedup-batch.png'
+plot    "batch.dat" using 1:(single_val/$2) with points title "" ls 1, g(x) title "log(x) fit" ls 2