BLS digital signature

A BLS digital signature, also known as Boneh–Lynn–Shacham^[1] (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

The scheme uses a bilinear pairing ${\displaystyle e:G_{1}\times G_{2}\to G_{T}}$, where ${\displaystyle G_{1},G_{2},}$ and ${\displaystyle G_{T}}$ are elliptic curve groups of prime order ${\displaystyle q}$, and a hash function ${\displaystyle H}$ from the message space into ${\displaystyle G_{1}}$. Signature are elements of ${\displaystyle G_{1}}$, public keys are elements of ${\displaystyle G_{2}}$, and the secret key is an integer in ${\displaystyle [0,q-1]}$. Working in an elliptic curve group provides some defense against index calculus attacks (with the caveat that such attacks are still possible in the target group ${\displaystyle G_{T}}$ of the pairing), allowing shorter signatures than FDH signatures for a similar level of security.

Signatures produced by the BLS signature scheme are often referred to as short signatures, BLS short signatures, or simply BLS signatures.^[2] The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model assuming the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group.^[1]

BLS signature scheme

A signature scheme consists of three functions: generate, sign, and verify.^[1]

Key generation

The key generation algorithm selects the private key by picking a random integer ${\displaystyle x\in [0,q-1]}$. The holder of the private key publishes the public key, ${\displaystyle g_{2}^{x}}$, where ${\displaystyle g_{2}}$ is a generator of ${\displaystyle G_{2}}$.

Signing

Given the private key ${\displaystyle x}$, and some message ${\displaystyle m}$, we compute the signature by hashing the bitstring ${\displaystyle m}$, as ${\displaystyle h=H(m)}$, and we output the signature ${\displaystyle \sigma =h^{x}}$.

Verification

Given a signature ${\displaystyle \sigma }$ for message ${\displaystyle m}$ and public key ${\displaystyle g_{2}^{x}}$, we verify that ${\displaystyle e(\sigma ,g_{2})=e(H(m),g_{2}^{x})}$.

Properties

• Unique and deterministic: for a given key and message, there is only one valid signature (like RSA PKCS1 v1.5, EdDSA and unlike RSA PSS, DSA, ECDSA, Schnorr and ML-DSA).^[3]
• Signature Aggregation: Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature.^[4]
• Simple Threshold Signatures^[5] and multisignatures.^[6]

Curves

BLS12-381

BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott^[7] (a different BLS trio, except for the L). It was designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol. It is both pairing-friendly, making it efficient for digital signatures, and effective for constructing zkSnarks.^[8] The planned usage^{[clarification needed]} of BLS12-381 for BLS signatures is detailed in the June 2022 IETF internet draft.^[9]

Implementations

• Chia network has used BLS signatures.^[10][11]
• By 2020, BLS signatures were used extensively in version 2 (Eth2) of the Ethereum blockchain, as specified in the IETF draft BLS signature specification—for cryptographically assuring that a specific Eth2 validator has actually verified a particular transaction.^[2] The use of BLS signatures in Ethereum is considered a solution to the verification bottleneck only for the medium term, as BLS signatures are not quantum secure. Over the longer term—say, 2025–2030—STARK aggregation is expected to be a drop-in replacement for BLS aggregation.^[9][12]
• Dfinity (developers of the "Internet Computer" cryptocurrency) uses a BLS implementation.^[13]
• Skale cryptocurrency uses BLS signature algorithm.^[14]
• drand uses the BLS12-381 curve as a threshold scheme.^[15]

See also

• Pairing-based cryptography