Optimistic rollups may be able to reduce calldata costs by aggregating ECDSA signatures from their on-chain transaction data into a SNARK. This document outlines some of the steps that would be necessary specifically.
An ECDSA signature on an elliptic curve group with base point G of order n consists of a pair of non-zero integers (r, s) mod n. To verify that a message m was signed by public key Q, we check for a hash H(m) \in [0, n - 1] that:
Q is a valid public key(x, y) = (H(m) s^{-1}) G + (r s^{-1}) Q, check that (x, y) is not O and that r = x.We can extend this to ECDSA* verification, meaning that there is a point R = (r, r') so that R = (H(m) s^{-1}) G + (r s^{-1}) Q. We can ask the prover to provide r'.
For batch verification, suppose we have signatures (r_i, s_i) for messages m_i with hashes h_i = H(m_i) and public keys Q_i. For the completed signatures R_i = (r_i, r_i') provided by the prover and a random t in [0, n - 1], we verify the RLC equation
sum_i t^i R_i = (sum_i t^i (h_i s_i^{-1})) G + sum_i t^i (r_i s_i^{-1}) Q_i
For k signatures, this requires:
5k BigInt multiplications mod n.2k + 1 base points and these coefficients.R_i is a valid completion of (r_i, -) to a point on the curve.GWe do this by amortizing the double steps in the double and add algorithm, so if n has 256 bits, this should cost:
(2k + 1) * 256 secp256k1 addsThe cost of k independent ECDSA verifications is:
256 * k secp256k1 doubles2k * 256 secp256k1 addsGIf we cache multiples of G with a window of size 10, we get
(2k) * 256 + 26 + 1 secp256k1 addsThe cost of k independent ECDSA verifications is:
256 * k secp256k1 doubles256 * k + 27 * k secp256k1 addsGSuppose we use the dynamic windowed method with window size w and also cache G with window size 10. Our costs are:
2^w * 2 k adds for dynamic caching of multiples of R_i and Q_i256 doubles shared on the batch MSM26 additions for G(256 / w) * (2k) additions for R_i and Q_iThis is a total of 256 doubles and (2 * 2^w + 512/w)k + 26 additions when we ignore costs of selecting.
If we use the dynamic windowed method on each signature separately, we get:
2^w * k adds for dynamic caching of multiples of Q_i256 * k doubles26 * k additions for G(256/w) * k additionsThis is a total of 256k doubles and (2^w + 256/w + 26)k adds.
Note: This is the strategy suggested at:
ZK Circuits
Snark spec:
Inputs:
* hash(T_i), addr_i, sig_i, 1<=i<=BATCH_SIZE, private inputs
* merkle_root(hash(T_i) || a_i for all i), public output
Compute witness variable:
* pubkey_i := ecrecover(hash(T_i), sig_i)
Constraints:
* pubToAddr(pubkey_i) == addr_i for all i
* BatchVerify(hash(T_i), sig_i, pubkey_i for all i) == true
* merkelize(hash(T_i) || a_i for all i).root is public output
Possibly will want to use batch Keccak optmizations.
Steps to Production
We can estimate the gains from this approach in two ways:
A few consequences:
The SNARKs for batch ECDSA verification will need to be generated before commitment on L1, which may introduce more latency in this process.
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe