BLS digital signature

A BLS digital signature, also known as Boneh–Lynn–Shacham (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

The scheme uses a bilinear pairing $e: G_1\times G_2\to G_T$ , where $G_1, G_2,$ and $G_T$ are elliptic curve groups of prime order $q$ , and a hash function $H$ from the message space into $G_1$ . Signature are elements of $G_1$ , public keys are elements of $G_2$ , and the secret key is an integer in $[0,q-1]$ . Working in an elliptic curve group provides some defense against index calculus attacks (with the caveat that such attacks are still possible in the target group $G_T$ of the pairing), allowing shorter signatures than FDH signatures for a similar level of security.

Signatures produced by the BLS signature scheme are often referred to as short signatures, BLS short signatures, or simply BLS signatures. The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model assuming the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group.

BLS signature scheme

A signature scheme consists of three functions: generate, sign, and verify.{{cite journal |author=Dan Boneh |author-link=Dan Boneh |author2=Ben Lynn |author2-link=Ben Lynn |author3=Hovav Shacham |author3-link=Hovav Shacham |name-list-style=amp |title=Short Signatures from the Weil Pairing |journal=Journal of Cryptology |volume=17 |issue=4 |year=2004 |pages=297–319 |doi=10.1007/s00145-004-0314-9 |citeseerx=10.1.1.589.9141 |s2cid=206885645 }}

;Key generation

The key generation algorithm selects the private key by picking a random integer $x\in [0,q-1]$ . The holder of the private key publishes the public key, $g_2^x$ , where $g_2$ is a generator of $G_2$ .

;Signing

Given the private key $x$ , and some message $m$ , we compute the signature by hashing the bitstring $m$ , as $h=H(m)$ , and we output the signature $\sigma=h^x$ .

;Verification

Given a signature $\sigma$ for message $m$ and public key $g_2^x$ , we verify that $e(\sigma, g_2 )=e(H(m), g_2^x)$ .

Properties

Unique and deterministic: for a given key and message, there is only one valid signature (like RSA PKCS1 v1.5, EdDSA and unlike RSA PSS, DSA, ECDSA, Schnorr and ML-DSA).{{Cite web |last=Shacham |first=Hovav |title=New Paradigms in Signature Schemes |url=https://hovav.net/ucsd/dist/thesis.pdf |access-date=2024-06-07 |website=www.semanticscholar.org |page=18}}
Signature Aggregation: Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature.D. Boneh, C. Gentry, H. Shacham, and B. Lynn [http://crypto.stanford.edu/~dabo/pubs/abstracts/aggreg.html Aggregate and Verifiably Encrypted Signatures from Bilinear Maps], proceedings of Eurocrypt 2003, LNCS 2656, pp. 416-432, 2003
Simple Threshold Signatures{{cite web |url=https://www.jcraige.com/threshold-bls-signatures |title=Threshold BLS Signatures |website=jcraige.com |last=Craige|first=Jake |date=11 March 2020 |access-date=8 August 2022}} and multisignatures.{{Cite book |last=Boldyreva |first=Alexandra |date=2002 |editor-last=Desmedt |editor-first=Yvo G. |chapter=Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme |chapter-url=https://link.springer.com/chapter/10.1007/3-540-36288-6_3 |title=Public Key Cryptography — PKC 2003 |series=Lecture Notes in Computer Science |volume=2567 |language=en |location=Berlin, Heidelberg |publisher=Springer |pages=31–46 |doi=10.1007/3-540-36288-6_3 |isbn=978-3-540-36288-3}}

Curves

= BLS12-381 =

BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott{{Citation |last1=Barreto |first1=Paulo S. L. M. |title=Constructing Elliptic Curves with Prescribed Embedding Degrees |date=2003 |work=Security in Communication Networks |pages=257–267 |url=http://dx.doi.org/10.1007/3-540-36413-7_19 |access-date=2024-02-11 |place=Berlin, Heidelberg |publisher=Springer Berlin Heidelberg |isbn=978-3-540-00420-2 |last2=Lynn |first2=Ben |last3=Scott |first3=Michael|doi=10.1007/3-540-36413-7_19 |url-access=subscription }} (a different BLS trio, except for the L). It was designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol. It is both pairing-friendly, making it efficient for digital signatures, and effective for constructing zkSnarks.{{Cite web |title=BLS12-381 For The Rest Of Us |url=https://hackmd.io/@benjaminion/bls12-381 |access-date=2024-02-11 |website=HackMD |language=en}} The planned usage{{clarify|summarize major applications using|date=December 2024}} of BLS12-381 for BLS signatures is detailed in the June 2022 IETF internet draft.{{Cite report |url=https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/05/ |title=BLS Signatures |last1=Boneh |first1=Dan |last2=Gorbunov |first2=Sergey |date=2022-06-16 |publisher=Internet Engineering Task Force |issue=draft-irtf-cfrg-bls-signature-05 |last3=Wahby |first3=Riad S. |last4=Wee |first4=Hoeteck |last5=Wood |first5=Christopher A. |last6=Zhang |first6=Zhenfei}}

Implementations

Chia network has used BLS signatures.{{Cite web |title=5. BLS Signatures {{!}} Chia Documentation |url=https://docs.chia.net/guides/chialisp-bls-signatures |access-date=2023-06-07 |website=docs.chia.net |language=en}}[https://github.com/Chia-Network/bls-signatures BLS signatures]
By 2020, BLS signatures were used extensively in version 2 (Eth2) of the Ethereum blockchain, as specified in the IETF draft BLS signature specification—for cryptographically assuring that a specific Eth2 validator has actually verified a particular transaction.{{cite web |url=https://github.com/ethereum/eth2.0-specs/blob/dev/specs/phase0/beacon-chain.md#bls-signatures |title=Ethereum 2.0 Phase 0 -- The Beacon Chain : BLS Signatures |website=GitHub |date=28 July 2020 |accessdate=4 September 2020 }} The use of BLS signatures in Ethereum is considered a solution to the verification bottleneck only for the medium term, as BLS signatures are not quantum secure. Over the longer term—say, 2025–2030—STARK aggregation is expected to be a drop-in replacement for BLS aggregation.{{cite web |title=Pragmatic signature aggregation with BLS |url=https://ethresear.ch/t/pragmatic-signature-aggregation-with-bls/2105 |last=Drake|first=Justin |publisher= Eth research |website=ethresear.ch/ |date=5 December 2019 |accessdate=8 January 2021 }}
Dfinity (developers of the "Internet Computer" cryptocurrency) uses a BLS implementation.{{Cite web |title=Chain-key signatures {{!}} Internet Computer |url=https://internetcomputer.org/how-it-works/threshold-ecdsa-signing/ |access-date=2024-08-16 |website=internetcomputer.org |language=en}}
Skale cryptocurrency uses BLS signature algorithm.{{Cite web |title=SKALE Documentation :: SKALE Network Documentation |url=https://docs.skale.network/#_ethereum_native |access-date=2024-08-16 |website=docs.skale.network}}
drand uses the BLS12-381 curve as a threshold scheme.{{cite web | title=2.1 Cryptography | website=drand | url=https://docs.drand.love/docs/concepts/2-1-concepts-cryptography/ | access-date=2024-11-18}}

References

External links

[https://medium.com/algorand/posting-bls-standard-draft-30a89723f386 Summary description of the Algorand draft standard effort]
[http://crypto.stanford.edu/pbc/ Ben Lynn's PBC Library]
[https://github.com/Chia-Network/bls-signatures Chia Network's BLS signatures implementation (C++)]

Category:Digital signature schemes

Category:Pairing-based cryptography