Multi-scalar multiplication (MSM), defined as MSM(P, x) = sum_{i=1}^n x_i P_i, is a dominant computational kernel in discrete-logarithm-based cryptography and often becomes a bottleneck for verifiers and other resource-constrained clients. We present 2G2T, a simple protocol for verifiably outsourcing MSM to an untrusted server. After a one-time keyed setup for fixed bases P = (P1, ..., Pn) that produces a public merged-bases vector T and client secret state, the server answers each query x = (x1, ..., xn) with only two group elements: A claimed to equal MSM(P, x) and an auxiliary value B claimed to equal MSM(T, x). Verification requires a single length-n field inner product and a constant number of group operations (two scalar multiplications and one addition), while the server performs two MSMs. In our Ristretto255 implementation, verification is up to ~300x faster than computing the MSM locally using a highly optimized MSM routine for n up to 2^18, and the server-to-client response is constant-size (two compressed group elements, 64 bytes on Ristretto255). Despite its simplicity and efficiency, 2G2T achieves statistical soundness: for any (even computationally unbounded) adversarial server, the probability of accepting an incorrect result is at most 1/q per query, and at most e/q over e adaptive executions, in a prime-order group of size q.

翻译：多标量乘法（MSM）定义为 MSM(P, x) = sum_{i=1}^n x_i P_i，是基于离散对数的密码学中的核心计算内核，常成为验证者及其他资源受限客户端的性能瓶颈。本文提出2G2T——一种可验证地将MSM外包给非可信服务器的简洁协议。在针对固定基P = (P1, ..., Pn)完成一次性密钥化设置（生成公开合并基向量T及客户端秘密状态）后，服务器对每个查询x = (x1, ..., xn)仅需返回两个群元素：声称等于MSM(P, x)的A值，以及声称等于MSM(T, x)的辅助值B。验证过程仅需一次长度为n的域内积运算和恒定次数的群运算（两次标量乘法和一次加法），而服务器需执行两次MSM计算。在我们的Ristretto255实现中，当n最大至2^18时，验证速度比使用高度优化的本地MSM例程快约300倍，且服务器到客户端的响应为恒定大小（两个压缩群元素，在Ristretto255上为64字节）。尽管设计简洁高效，2G2T仍具备统计可靠性：对于任意（即使计算能力无界的）对抗性服务器，在阶为q的素数阶群中，单次查询接受错误结果的概率至多为1/q，在e次自适应执行中至多为e/q。