type BatchVerifier = Verifier;Expand description
The type of the batch verifier.
Aliased Type§
struct BatchVerifier(/* private fields */);Implementations
§impl Verifier
impl Verifier
pub fn new() -> Verifier
pub fn new() -> Verifier
Construct a new batch verifier.
pub fn verify<R>(self, rng: R) -> Result<(), Error>
pub fn verify<R>(self, rng: R) -> Result<(), Error>
Perform batch verification, returning Ok(()) if all signatures were
valid and Err otherwise.
The batch verification equation is:
h_G * ( -[sum(z_i * s_i)]P_G + sum([z_i]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
as given in https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate (the terms are split out so that we can use multiscalar multiplication speedups).
where for each signature i,
- VK_i is the verification key;
- R_i is the signature’s R value;
- s_i is the signature’s s value;
- c_i is the hash of the message and other data;
- z_i is a random 128-bit Scalar;
- h_G is the cofactor of the group;
- P_G is the generator of the subgroup;
Since RedJubjub uses different subgroups for different types of signatures, SpendAuth’s and Binding’s, we need to have yet another point and associated scalar accumulator for all the signatures of each type in our batch, but we can still amortize computation nicely in one multiscalar multiplication:
h_G * ( [-sum(z_i * s_i): i_type == SpendAuth]P_SpendAuth + [-sum(z_i * s_i): i_type == Binding]P_Binding + sum([z_i]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
As follows elliptic curve scalar multiplication convention, scalar variables are lowercase and group point variables are uppercase. This does not exactly match the RedDSA notation in the protocol specification §B.1.