# Circuit for Batch Verification of Falcon Signatures
## 1. Notation
* $n$ -- ring degree (512 or 1024)
* $q$ -- modulus $=12289 = 3\cdot 2^{12}+1$
* $\widehat{\beta} = \lfloor\beta^2\rfloor$ -- max norm (34 034 726 or 70 265 242)
* $\phi=X^n+1$
## 2. Single Signature Verification
Inputs:
* $r\in Z_2^{320}$
* $m$ -- bytestring
* $s$
* public key $h\in Z_q[X]/\phi$
Procedure:
1. $c\in Z_q[X]/\phi\leftarrow HashToPoint(r||m)$:
* Iterate SHAKE-256 on $r||m$;
* Extract 16 bits as $b$. If the number $b$ is $<3q$, take $b\bmod q$ as
a polynomial coefficient.
2. $s_2\in Z_q[X]/\phi\leftarrow Decompress(s)$. Reject invalid $s_2$.
3. $s_1 \in Z_q[X]/\phi\leftarrow c-s_2h$.
4. Normalize $s_1$: subtract $q$ from each coefficient that exceeds $\lfloor q/2\rfloor$.
5. Compute $A=||(s_1,s_2)||=\sum_i (s_{1,i}^2 +s_{2,i}^2)$.
6. If $A^2\leq \widehat{\beta}$
* then ACCEPT
* else REJECT.
Modified procedure:
3. Sample $z$ points $\alpha_1,\alpha_2,\ldots,\alpha_z$. Verify the statement $s_1 = c-s_2h$ on these $z$ points. If points are sampled via Fiat-Shamir, we need $z = \lambda /\log_2 \frac{q}{n}$ points, otherwise we need $n+1$ points.
## 3. Circuit for Batch Verification
### 3.1 Same $r$ and $m$ values for all signatures.
In this case Aggregator passes $r,m$ in the cleartext and both Verifier and Aggregator
can compute $c$ off-circuit.
#### Parameters
* $\ell$ --- number of signatures aggregated. The $i$-th signature is denoted as $(r,s[i])$;
* $r$ --- the scalar field $\mathbb{F}$ size of the proof system (a number of about 254 bit size).
* $w$ --- the number of points in $Z_q$ necessary to check the equality of degree $n$ polynomials with security level $\lambda$. Computed as
$$
z = \lambda /\log_2 \frac{q}{n}
$$
#### Committed Inputs
* $C$ is a commitment to $r,\{s_2[i]\}$
#### Precomputation
* Compute $\alpha_1,\alpha_2,\ldots,\alpha_s \in Z_q \leftarrow Hash(C)$.
#### Public Inputs
* Public keys $h[1],h[2],\ldots, h[\ell]\in \mathbb{F}^n$
#### Constants
* Polynomial $c(X)$.
* Evaluations of $h[i]$ at points $\alpha_j$.
#### Private Inputs
* $\{s_2[i]\}\in \mathbb{F}^n$
#### Internal variables
* $\{s_1[i]\}\in \mathbb{F}^n$
* $\{t_{i,j}\}\in \mathbb{F}$
#### Constraints
* Coefficients range check:
* $s_1[i]_j<q$. $14n$ constraints per signature
* $s_2[i]_j<q$. $14n$ constraints per signature
* Polynomial evaluation
\begin{align}
s_1[i](\alpha_j) &= w_{i,j};\;\quad z\text{ linear constraints per signature}\\
s_2[i](\alpha_j) &= w_{i,j}';\;\quad z\text{ linear constraints per signature}\\
h[i](\alpha_j) &= w_{i,j}'';\;\quad \text{ constant}\\
w_{i,j} &= c(\alpha_j)-w_{i,j}'\cdot w_{i,j}'' + q\cdot t_{i,j};\;\quad z\text{ multiplicative constraints per signature};\\
|t_{i,j}|&<nq+2n+1;\quad z(14+ \log n)\text{ multiplicative constraints per signature};\\
\end{align}
Cost is $z(15 + \log n)$ mult constraints per signature.
* Normalization:
* Sign of $s_1[i]_j$ can be obtained for free from the range check (see above);
* The rest is $1$ linear constraint per signature.
* Bounding
* Computation ($2n$ multiplicative constraints per signature)
$$
A^2 = \sum_j s_1[i]_j^2 + s_2[i]_j^2
$$
* Bound $A^2 \leq \widehat{\beta}$ -- 25 or 26 mult constraints per signature.
In total we have $30n+z(15+\log n)$ mult constraints
For Falcon-512 and 128-bit security we have $z=29$ and thus totally about 16056 mult constraints. For Falcon-1024 we get $z=37$ and thus about 31645 constraints.
### 3.2 Distinct $r$ and $m$ values for all signatures.
In this case still both Verifier and Aggregator can compute $c$ polynomials off-circuit but they are distinct. The circuit construction does not change much except that we replace $c(\alpha_j)$ with $c[i](\alpha_j)$ (both sets are constants). The number of constraints does not change then.