From 0a5e6128680c8b4f43fcb2d0450d41d5e4603c9d Mon Sep 17 00:00:00 2001
From: Fabian Jahr <fjahr@protonmail.com>
Date: Sun, 25 Feb 2024 21:02:17 +0100
Subject: [PATCH] BatchVerify: Add basic schnorr sig batch verification in
 ConnectBlock()

---
 src/Makefile.am                      |  2 ++
 src/batchverify.cpp                  | 46 ++++++++++++++++++++++++++++
 src/batchverify.h                    | 26 ++++++++++++++++
 src/script/sigcache.cpp              | 15 +++++++++
 src/script/sigcache.h                | 15 +++++++++
 src/test/txvalidationcache_tests.cpp |  3 +-
 src/validation.cpp                   | 25 ++++++++++++---
 src/validation.h                     |  6 ++--
 8 files changed, 130 insertions(+), 8 deletions(-)
 create mode 100644 src/batchverify.cpp
 create mode 100644 src/batchverify.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 3e8870c8286684..8a7f56cf011b5b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -128,6 +128,7 @@ BITCOIN_CORE_H = \
   attributes.h \
   banman.h \
   base58.h \
+	batchverify.h \
   bech32.h \
   bip324.h \
   blockencodings.h \
@@ -678,6 +679,7 @@ libbitcoin_common_a_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 libbitcoin_common_a_SOURCES = \
   addresstype.cpp \
   base58.cpp \
+	batchverify.cpp \
   bech32.cpp \
   chainparams.cpp \
   coins.cpp \
diff --git a/src/batchverify.cpp b/src/batchverify.cpp
new file mode 100644
index 00000000000000..ca79cb0726346e
--- /dev/null
+++ b/src/batchverify.cpp
@@ -0,0 +1,46 @@
+// Copyright (c) 2024 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <batchverify.h>
+#include <logging.h>
+#include <pubkey.h>
+#include <random.h>
+#include <sync.h>
+
+#include <secp256k1.h>
+#include <secp256k1_batch.h>
+#include <secp256k1_schnorrsig_batch.h>
+
+BatchSchnorrVerifier::BatchSchnorrVerifier() {
+    unsigned char rnd[16];
+    GetRandBytes(rnd);
+    // This is the maximum number of scalar-point pairs on the batch for which
+    // Strauss' algorithm, which is used in the secp256k1 implementation, is
+    // still efficient.
+    const size_t max_batch_size{106};
+    secp256k1_batch* batch{secp256k1_batch_create(secp256k1_context_static, max_batch_size, rnd)};
+    m_batch = batch;
+}
+
+BatchSchnorrVerifier::~BatchSchnorrVerifier() {
+    (void)secp256k1_batch_destroy(secp256k1_context_static, m_batch);
+}
+
+bool BatchSchnorrVerifier::Add(const Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) {
+    LOCK(m_batch_mutex);
+    if (secp256k1_batch_usable(secp256k1_context_static, m_batch) == 0) {
+        LogPrintf("ERROR: BatchSchnorrVerifier m_batch unusable\n");
+        return false;
+    }
+
+    secp256k1_xonly_pubkey pubkey_parsed;
+    (void)secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey_parsed, pubkey.data());
+
+    return secp256k1_batch_add_schnorrsig(secp256k1_context_static, m_batch, sig.data(), sighash.begin(), 32, &pubkey_parsed);
+}
+
+bool BatchSchnorrVerifier::Verify() {
+    LOCK(m_batch_mutex);
+    return secp256k1_batch_verify(secp256k1_context_static, m_batch);
+}
diff --git a/src/batchverify.h b/src/batchverify.h
new file mode 100644
index 00000000000000..dc69130cfd2177
--- /dev/null
+++ b/src/batchverify.h
@@ -0,0 +1,26 @@
+// Copyright (c) 2024 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_BATCHVERIFY_H
+#define BITCOIN_BATCHVERIFY_H
+
+#include <pubkey.h>
+#include <sync.h>
+
+#include <secp256k1_batch.h>
+
+class BatchSchnorrVerifier {
+private:
+    secp256k1_batch* m_batch GUARDED_BY(m_batch_mutex);
+    mutable Mutex m_batch_mutex;
+
+public:
+    BatchSchnorrVerifier();
+    ~BatchSchnorrVerifier();
+
+    bool Add(const Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) EXCLUSIVE_LOCKS_REQUIRED(!m_batch_mutex);
+    bool Verify() EXCLUSIVE_LOCKS_REQUIRED(!m_batch_mutex);
+};
+
+#endif // BITCOIN_BATCHVERIFY_H
diff --git a/src/script/sigcache.cpp b/src/script/sigcache.cpp
index 7c6c282cc470d6..2a21a78e475aea 100644
--- a/src/script/sigcache.cpp
+++ b/src/script/sigcache.cpp
@@ -5,6 +5,7 @@
 
 #include <script/sigcache.h>
 
+#include <batchverify.h>
 #include <common/system.h>
 #include <logging.h>
 #include <pubkey.h>
@@ -127,3 +128,17 @@ bool CachingTransactionSignatureChecker::VerifySchnorrSignature(Span<const unsig
     if (store) signatureCache.Set(entry);
     return true;
 }
+
+bool BatchingCachingTransactionSignatureChecker::VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const
+{
+    uint256 entry;
+    signatureCache.ComputeEntrySchnorr(entry, sighash, sig, pubkey);
+    if (signatureCache.Get(entry, !GetStore())) return true;
+
+    return m_batch->Add(sig, pubkey, sighash);
+}
+
+bool BatchingCachingTransactionSignatureChecker::VerifySchnorrSignatureBatch() const
+{
+    return m_batch->Verify();
+}
diff --git a/src/script/sigcache.h b/src/script/sigcache.h
index d33d60d5bcb887..484d8a9d0cd4c1 100644
--- a/src/script/sigcache.h
+++ b/src/script/sigcache.h
@@ -6,6 +6,7 @@
 #ifndef BITCOIN_SCRIPT_SIGCACHE_H
 #define BITCOIN_SCRIPT_SIGCACHE_H
 
+#include <batchverify.h>
 #include <script/interpreter.h>
 #include <span.h>
 #include <util/hasher.h>
@@ -26,6 +27,8 @@ class CachingTransactionSignatureChecker : public TransactionSignatureChecker
     bool store;
 
 public:
+    bool GetStore() const { return store; }
+
     CachingTransactionSignatureChecker(const CTransaction* txToIn, unsigned int nInIn, const CAmount& amountIn, bool storeIn, PrecomputedTransactionData& txdataIn) : TransactionSignatureChecker(txToIn, nInIn, amountIn, txdataIn, MissingDataBehavior::ASSERT_FAIL), store(storeIn) {}
 
     bool VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& vchPubKey, const uint256& sighash) const override;
@@ -34,4 +37,16 @@ class CachingTransactionSignatureChecker : public TransactionSignatureChecker
 
 [[nodiscard]] bool InitSignatureCache(size_t max_size_bytes);
 
+class BatchingCachingTransactionSignatureChecker : public CachingTransactionSignatureChecker
+{
+private:
+    BatchSchnorrVerifier* m_batch;
+
+public:
+    BatchingCachingTransactionSignatureChecker(const CTransaction* txToIn, unsigned int nInIn, const CAmount& amountIn, bool storeIn, PrecomputedTransactionData& txdataIn, BatchSchnorrVerifier* batchIn) : CachingTransactionSignatureChecker(txToIn, nInIn, amountIn, storeIn, txdataIn), m_batch(batchIn) {}
+
+    bool VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const override;
+    bool VerifySchnorrSignatureBatch() const;
+};
+
 #endif // BITCOIN_SCRIPT_SIGCACHE_H
diff --git a/src/test/txvalidationcache_tests.cpp b/src/test/txvalidationcache_tests.cpp
index 790eabc7c19736..8c72c1a9735ddc 100644
--- a/src/test/txvalidationcache_tests.cpp
+++ b/src/test/txvalidationcache_tests.cpp
@@ -22,7 +22,8 @@ struct Dersig100Setup : public TestChain100Setup {
 bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, unsigned int flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
-                       std::vector<CScriptCheck>* pvChecks) EXCLUSIVE_LOCKS_REQUIRED(cs_main);
+                       std::vector<CScriptCheck>* pvChecks,
+                       BatchSchnorrVerifier* batch = nullptr) EXCLUSIVE_LOCKS_REQUIRED(cs_main);
 
 BOOST_AUTO_TEST_SUITE(txvalidationcache_tests)
 
diff --git a/src/validation.cpp b/src/validation.cpp
index 81a3c35864995d..82b2edcb311777 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -10,6 +10,7 @@
 #include <validation.h>
 
 #include <arith_uint256.h>
+#include <batchverify.h>
 #include <chain.h>
 #include <checkqueue.h>
 #include <clientversion.h>
@@ -136,7 +137,8 @@ const CBlockIndex* Chainstate::FindForkInGlobalIndex(const CBlockLocator& locato
 bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, unsigned int flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
-                       std::vector<CScriptCheck>* pvChecks = nullptr)
+                       std::vector<CScriptCheck>* pvChecks = nullptr,
+                       BatchSchnorrVerifier* batch = nullptr)
                        EXCLUSIVE_LOCKS_REQUIRED(cs_main);
 
 bool CheckFinalTxAtTip(const CBlockIndex& active_chain_tip, const CTransaction& tx)
@@ -1861,6 +1863,9 @@ void UpdateCoins(const CTransaction& tx, CCoinsViewCache& inputs, CTxUndo &txund
 bool CScriptCheck::operator()() {
     const CScript &scriptSig = ptxTo->vin[nIn].scriptSig;
     const CScriptWitness *witness = &ptxTo->vin[nIn].scriptWitness;
+    if (m_batch) {
+        return VerifyScript(scriptSig, m_tx_out.scriptPubKey, witness, nFlags, BatchingCachingTransactionSignatureChecker(ptxTo, nIn, m_tx_out.nValue, cacheStore, *txdata, m_batch), &error);
+    }
     return VerifyScript(scriptSig, m_tx_out.scriptPubKey, witness, nFlags, CachingTransactionSignatureChecker(ptxTo, nIn, m_tx_out.nValue, cacheStore, *txdata), &error);
 }
 
@@ -1908,7 +1913,8 @@ bool InitScriptExecutionCache(size_t max_size_bytes)
 bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, unsigned int flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
-                       std::vector<CScriptCheck>* pvChecks)
+                       std::vector<CScriptCheck>* pvChecks,
+                       BatchSchnorrVerifier* batch)
 {
     if (tx.IsCoinBase()) return true;
 
@@ -1952,7 +1958,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
         // spent being checked as a part of CScriptCheck.
 
         // Verify signature
-        CScriptCheck check(txdata.m_spent_outputs[i], tx, i, flags, cacheSigStore, &txdata);
+        CScriptCheck check(txdata.m_spent_outputs[i], tx, i, flags, cacheSigStore, &txdata, batch);
         if (pvChecks) {
             pvChecks->emplace_back(std::move(check));
         } else if (!check()) {
@@ -1966,7 +1972,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                 // non-upgraded nodes by banning CONSENSUS-failing
                 // data providers.
                 CScriptCheck check2(txdata.m_spent_outputs[i], tx, i,
-                        flags & ~STANDARD_NOT_MANDATORY_VERIFY_FLAGS, cacheSigStore, &txdata);
+                        flags & ~STANDARD_NOT_MANDATORY_VERIFY_FLAGS, cacheSigStore, &txdata, batch);
                 if (check2())
                     return state.Invalid(TxValidationResult::TX_NOT_STANDARD, strprintf("non-mandatory-script-verify-flag (%s)", ScriptErrorString(check.GetScriptError())));
             }
@@ -2391,6 +2397,9 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state,
     int nInputs = 0;
     int64_t nSigOpsCost = 0;
     blockundo.vtxundo.reserve(block.vtx.size() - 1);
+
+    BatchSchnorrVerifier batch{};
+
     for (unsigned int i = 0; i < block.vtx.size(); i++)
     {
         const CTransaction &tx = *(block.vtx[i]);
@@ -2442,7 +2451,7 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state,
             std::vector<CScriptCheck> vChecks;
             bool fCacheResults = fJustCheck; /* Don't cache results if we're actually connecting blocks (still consult the cache, though) */
             TxValidationState tx_state;
-            if (fScriptChecks && !CheckInputScripts(tx, tx_state, view, flags, fCacheResults, fCacheResults, txsdata[i], parallel_script_checks ? &vChecks : nullptr)) {
+            if (fScriptChecks && !CheckInputScripts(tx, tx_state, view, flags, fCacheResults, fCacheResults, txsdata[i], parallel_script_checks ? &vChecks : nullptr, &batch)) {
                 // Any transaction validation failure in ConnectBlock is a block consensus failure
                 state.Invalid(BlockValidationResult::BLOCK_CONSENSUS,
                               tx_state.GetRejectReason(), tx_state.GetDebugMessage());
@@ -2476,6 +2485,12 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state,
         LogPrintf("ERROR: %s: CheckQueue failed\n", __func__);
         return state.Invalid(BlockValidationResult::BLOCK_CONSENSUS, "block-validation-failed");
     }
+
+    if (!batch.Verify()) {
+        LogPrintf("ERROR: %s: Batch verification failed\n", __func__);
+        return state.Invalid(BlockValidationResult::BLOCK_CONSENSUS, "block-batch-verify-failed");
+    }
+
     const auto time_4{SteadyClock::now()};
     time_verify += time_4 - time_2;
     LogPrint(BCLog::BENCH, "    - Verify %u txins: %.2fms (%.3fms/txin) [%.2fs (%.2fms/blk)]\n", nInputs - 1,
diff --git a/src/validation.h b/src/validation.h
index 94765bfbcd8a64..e4a2e63193cac8 100644
--- a/src/validation.h
+++ b/src/validation.h
@@ -8,6 +8,7 @@
 
 #include <arith_uint256.h>
 #include <attributes.h>
+#include <batchverify.h>
 #include <chain.h>
 #include <checkqueue.h>
 #include <kernel/chain.h>
@@ -339,10 +340,11 @@ class CScriptCheck
     bool cacheStore;
     ScriptError error{SCRIPT_ERR_UNKNOWN_ERROR};
     PrecomputedTransactionData *txdata;
+    BatchSchnorrVerifier* m_batch;
 
 public:
-    CScriptCheck(const CTxOut& outIn, const CTransaction& txToIn, unsigned int nInIn, unsigned int nFlagsIn, bool cacheIn, PrecomputedTransactionData* txdataIn) :
-        m_tx_out(outIn), ptxTo(&txToIn), nIn(nInIn), nFlags(nFlagsIn), cacheStore(cacheIn), txdata(txdataIn) { }
+    CScriptCheck(const CTxOut& outIn, const CTransaction& txToIn, unsigned int nInIn, unsigned int nFlagsIn, bool cacheIn, PrecomputedTransactionData* txdataIn, BatchSchnorrVerifier* batchIn = nullptr) :
+        m_tx_out(outIn), ptxTo(&txToIn), nIn(nInIn), nFlags(nFlagsIn), cacheStore(cacheIn), txdata(txdataIn), m_batch(batchIn) { }
 
     CScriptCheck(const CScriptCheck&) = delete;
     CScriptCheck& operator=(const CScriptCheck&) = delete;