Skip to content

crypto: add go-based BatchVerifier implementation #6440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 22, 2025
Merged

crypto: add go-based BatchVerifier implementation #6440

merged 11 commits into from
Sep 22, 2025
+1,656 −60

Conversation

@cce
Copy link
Contributor

@cce cce commented Sep 12, 2025
edited
Loading

Summary

This adds a pure-Go ed25519 BatchVerifier implementation using on the ed25519consensus library, plus additional checks to preserve our ed25519 validation criteria, last updated in #3031 (reject small order A; reject non-canonical A, R, S; use the cofactor equation).

Like our libsodium batch verification implementation, the IsCanonicalY check here is also based on the "Taming the Many EdDSAs" paper in https://eprint.iacr.org/2020/1244
image
image
image

Test Plan

New tests added to compare ed25519 criteria results match our existing libsodium- and ed25519-donna-based batch verification implementation (from #3031 and defined in algorandfoundation/specs#60). New test helpers run test vectors with different batch sizes, taken from

@codecov
Copy link

codecov bot commented Sep 12, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 82.70677% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.72%. Comparing base (8245ed1) to head (b809fa7).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
crypto/gobatchverifier.go 91.08% 6 Missing and 3 partials ⚠️
crypto/batchverifier.go 72.00% 7 Missing ⚠️
crypto/onetimesig.go 0.00% 7 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6440      +/-   ##
==========================================
- Coverage   50.84%   50.72%   -0.12%     
==========================================
  Files         664      658       -6     
  Lines      111455   111478      +23     
==========================================
- Hits        56665    56552     -113     
- Misses      51924    52044     +120     
- Partials     2866     2882      +16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cce
cce commented Sep 15, 2025
View reviewed changes
zeldovich
zeldovich previously approved these changes Sep 16, 2025
View reviewed changes
jannotti
jannotti reviewed Sep 17, 2025
View reviewed changes
cce
cce commented Sep 18, 2025
View reviewed changes
@cce cce requested a review from algorandskiy September 18, 2025 03:05
@cce
Copy link
Contributor Author

cce commented Sep 18, 2025
edited
Loading

OK, updated with @jannotti's feedback and brought in more test vectors from crypto/ed25519/ed25519vectors_test.go plus new tests specifically for isCanonicalPoint and hasSmallOrder.

@cce cce requested review from jannotti and zeldovich September 18, 2025 18:08
jannotti
jannotti previously approved these changes Sep 18, 2025
View reviewed changes
@cce cce requested a review from jannotti September 19, 2025 14:43
@cce cce merged commit c2bb30f into algorand:master Sep 22, 2025
40 checks passed
algorandskiy pushed a commit to algorandskiy/go-algorand that referenced this pull request Sep 25, 2025
@cce @algorandskiy
crypto: add go-based BatchVerifier implementation (algorand#6440)
7a49dea 
This adds a pure-Go ed25519 BatchVerifier implementation based on the ed25519consensus library, with additional checks to preserve our ed25519 validation criteria, last updated in algorand#3031.

Like our libsodium batch verification implementation, the IsCanonicalY check here is also based on the "Taming the Many EdDSAs" paper in https://eprint.iacr.org/2020/1244

New tests added to compare ed25519 criteria results match our existing libsodium- and ed25519-donna-based batch verification implementation (from algorand#3031 and defined in algorandfoundation/specs#60). New test helpers run test vectors with different batch sizes, taken from
- 12 edge cases from "Taming the many EdDSAs" Appendix C, Table 6c, also used in our libsodium fork's tests in batch verification: add ed25519 batch verification implementation algorand#3031
- 1025 successful cases from our libsodium fork's tests, also added in batch verification: add ed25519 batch verification implementation algorand#3031.
- 196 edge cases used to draw the 14x14 grid visualizations from the blog post "It's 255:19AM. Do you know what your validation criteria are?" and used in ed25519consensus
- 768 edge cases from the Go crypto package's crypto/ed25519/ed25519vectors_test.go
@cce cce mentioned this pull request Oct 2, 2025
Merged
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 3, 2025
Merged
@onetechnical onetechnical mentioned this pull request Nov 5, 2025
Merged
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jannotti jannotti jannotti approved these changes

@zeldovich zeldovich zeldovich approved these changes

@algorandskiy algorandskiy algorandskiy approved these changes

@yossigi yossigi Awaiting requested review from yossigi

Assignees

No one assigned

Labels

Enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cce @jannotti @zeldovich @algorandskiy