A BLS digital signature, also known as Boneh–Lynn–Shacham [1] (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.
The scheme uses a bilinear pairing for verification, and signatures are elements of an elliptic curve group. Working in an elliptic curve group provides some defense against index calculus attacks (with the caveat that such attacks are still possible in the target group of the pairing), allowing shorter signatures than FDH signatures for a similar level of security.
Signatures produced by the BLS signature scheme are often referred to as short signatures, BLS short signatures, or simply BLS signatures. [2] The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model assuming the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group. [1]
A gap group is a group in which the computational Diffie–Hellman problem is intractable but the decisional Diffie–Hellman problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairings permit such groups.
Let be a non-degenerate, efficiently computable, bilinear pairing where , are groups of prime order, . Let be a generator of . Consider an instance of the CDH problem, ,, . Intuitively, the pairing function does not help us compute , the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given , we may check to see if without knowledge of , , and , by testing whether holds.
By using the bilinear property times, we see that if , then, since is a prime order group, .
A signature scheme consists of three functions: generate, sign, and verify. [1]
The key generation algorithm selects a random integer such as . The private key is . The holder of the private key publishes the public key, .
Given the private key , and some message , we compute the signature by hashing the bitstring , as . We output the signature .
Given a signature and a public key , we verify that .
BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott [5] (a different BLS trio, except for the L). Designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol. It is both pairing-friendly (making it efficient for digital signatures) and effective for constructing zkSnarks. [6]
A BLS digital signature, also known as Boneh–Lynn–Shacham [1] (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.
The scheme uses a bilinear pairing for verification, and signatures are elements of an elliptic curve group. Working in an elliptic curve group provides some defense against index calculus attacks (with the caveat that such attacks are still possible in the target group of the pairing), allowing shorter signatures than FDH signatures for a similar level of security.
Signatures produced by the BLS signature scheme are often referred to as short signatures, BLS short signatures, or simply BLS signatures. [2] The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model assuming the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group. [1]
A gap group is a group in which the computational Diffie–Hellman problem is intractable but the decisional Diffie–Hellman problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairings permit such groups.
Let be a non-degenerate, efficiently computable, bilinear pairing where , are groups of prime order, . Let be a generator of . Consider an instance of the CDH problem, ,, . Intuitively, the pairing function does not help us compute , the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given , we may check to see if without knowledge of , , and , by testing whether holds.
By using the bilinear property times, we see that if , then, since is a prime order group, .
A signature scheme consists of three functions: generate, sign, and verify. [1]
The key generation algorithm selects a random integer such as . The private key is . The holder of the private key publishes the public key, .
Given the private key , and some message , we compute the signature by hashing the bitstring , as . We output the signature .
Given a signature and a public key , we verify that .
BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott [5] (a different BLS trio, except for the L). Designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol. It is both pairing-friendly (making it efficient for digital signatures) and effective for constructing zkSnarks. [6]