Batch Verification of EdDSA Signatures

In AfricaCrypt 2012 and ACNS 2014, several algorithms are proposed for the batch verification of ECDSA signatures. In this paper, we make a comparative study of these methods for the Edwards curve digital signature algorithm (EdDSA). We describe the adaptation of Algorithms N, N′, S2′ and SP for EdDSA signatures. The randomization methods are also explained in detail. More precisely, we study seminumeric scalar multiplication and Montgomery ladders during randomization of EdDSA signatures. Each EdDSA signature verification involves a square-root computation. One may instead use an ECDSA-like verification procedure which avoids the expensive square-root computation. We study both these variants of EdDSA verification. Experimental results show that for small batch sizes the Algorithms S2′ and SP yield speedup comparable to what is achieved by Algorithm N′ which is originally proposed as the default EdDSA batch-verification algorithm.