Lenient/strict batch verification in several groups

Abstract

Batch verification is a useful tool in verifying a large number of cryptographic items all at one time. It is especially effective in verifying predicates based on modular exponentiation. In some cases, however, the items can be incorrect although they pass batch verification together. Such leniency can be eliminated by checking the domain of each item inadvance. With this in mind, we investigate if the strict batch verification can remain more effective than separate verification. In this paper, we estimate the efficiency of such strict batch verification in several types of groups, a prime subgroup of ZZp with special/random prime Zp and prime subgroups defined on elliptic curves over IFp, IF2m and IFpm, which are often used in DL-based cryptographic primitives. Our analysis concludes that the efficiency differs greatly depending on the choice of the group and parameters determined by the verifying predicate. Furthermore, we even show that there are some cases where batch verification, regardless of strictness, loses its computational advantage.