Professional Documents
Culture Documents
Gabor Tanz
gabor.tanz@students.bfh.ch
The BLS Signature Scheme
Contents
1 Introduction 4
2 Prerequisites 5
2.1 Abstract Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Group Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Cyclic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.3 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Elliptic curves (EC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.2 Addition of curve points . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3 Elliptic curves over finite fields . . . . . . . . . . . . . . . . . . . . 8
2.3 Bilinear maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 BLS signatures 10
3.1 Signature schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.1 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.2 Signature generation . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.3 Signature validation . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.4 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 The BLS signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Signature aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.4 Threshold signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.5 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Conclusion 15
2
The BLS Signature Scheme
This document explains the BLS signature scheme and the necessary math-
ematic basics and some of its uses for cryptocurrencies.
3
The BLS Signature Scheme
1 Introduction
The BLS Signature Method (named after Boneh, Lynn and Shacham) uses bi-linear
pairing with an elliptic curve group. It uses the Weil-Pairing, which is described in
the paper from Boneh, Lynn and Shacham [DBL04]. BLS has really short signatures
and due to the bi-linear mapping a few interesting properties which can be useful when
applied to to cryptocurrencies.
In order to understand BLS the reader needs to know how elliptical curves work and
the mathematical concepts behind them, which will be introduced in the following chap-
ters. Another important requirement is the pairing function, but it won’t be explained
how this function exactly works as this can fit a whole paper(see references). More
important is the concept of such a function and the properties it brings.
4
The BLS Signature Scheme
2 Prerequisites
The following mathematical concepts are needed to better understand how the BLS
Signature scheme works.
• Identity, an identity element e exists, so that ◦ with any element of the group and
the identity element produces the element itself.
• Inverse, for each element a in G there exists an inverse element b, so that the two
produce the identity element e.
• Closure, for any element in G the result of the operation ◦ is also in G. This is
implied by satisfying the other three properties.
Mathematical definition
Group: G = (G, ◦, inv, e)
Associativity: x ◦ (y ◦ z) = (x ◦ y) ◦ z ∀x, y, z ∈ G
Identity: e ◦ x = x ◦ e = x ∀x, e ∈ G
Inverse: x ◦ inv(x) = inv(x) ◦ x = e ∀x ∈ G
Closure: ∀x, y ∈ G → x ◦ y ∈ G
Examples
The set of integers Z with the operation +, the identity element 0 and the inverse
operation −. G = (Z, +, −, 0)
The set of integers Z modulo n with the operation ×, the identity element 1 and the
inverse operation −1 . G = (Z∗n , ×n ,−1 , 1)
5
The BLS Signature Scheme
Examples 3 is a generator of Z∗7 . The powers of 3 mod 7 are 3,2,6,4,5,1, which are all
elements in Z7 .
2 is not a generator of Z∗7 . The powers of 2 mod 7 are 2,4,1, which aren’t all elements
in Z7 .
As at least one element in Z7 exists that can generate the group it is cyclic.
Z∗4 is not a cyclic group as none of the elements can generate the group.
2.1.3 Fields
A field is based on a set and two operations, which each set/operation combination
forming abelian or commutative groups, further both operations are distributive.
The field (K, +, ∗) is based on the two abelian groups (K, +, −, 0) and (K
0, ∗,− 1, 1). Distributivity is defined as: ∀a, b, c ∈ K: a ∗ (b + c) = a ∗ b + a ∗ c, (a + b) ∗ c =
a ∗ c + b ∗ c.
Example An example for a finite field is (Z mod 5 , +, −, 0, ∗,−1 , 1), which consists of
the groups (Z mod 5 , +, −, 0) and (Z mod 5 , ∗,−1 , 1).
6
The BLS Signature Scheme
O
, if P = −Q
, if Q = O
P
P +Q=
Q , if P = O
−R , if P 6= −Q and P, Q 6= O
If we look at the "normal" case where P isn’t −Q and neither P nor Q are O, we can
define the addition as follows:
P = (x1 , y1 ), Q = (x2 , y2 )
7
The BLS Signature Scheme
E2 ,5 (Z7 ) = {(1, 1), (1, 6), (4, 0), (5, 0), (6, 3), (6, 4), O}
Figure 3: y 2 ≡ x3 + 2x + 5 mod 7
Addition works with the same formula as before, but because we are operating on a
finite field, we can create a table for all possible additions as they will repeat themselves.
In elliptic curves over a finite field every point is a generator if the order of the curve is
prime.
8
The BLS Signature Scheme
9
The BLS Signature Scheme
3 BLS signatures
3.1 Signature schemes
A signature scheme is used for verifying the authenticity of digital messages. With a sig-
nature a recipient can verify that a message was sent by the sender it claims(authentication)
and that it wasn’t tampered with(integrity).
A Signature scheme uses the following 3 algorithms:
• key generation
• signature generation
• signature validation
In most cases the signature is applied on the hash of the message instead of the
message itself, as the calculation of the signature is often slow and the signature size
depends on the message size.
10
The BLS Signature Scheme
We take a random number which our secret key sk and our public key pk is
defined as pk = sk × G where G is a generator point.
The signature σ is then simply the result of multiplying the Hash h of the
message m with the private key. σ = sk × H(m) which can also be written as
σ := hsk and h := H(m)
11
The BLS Signature Scheme
12
The BLS Signature Scheme
Example We will do a 2-of-3 multisig. We first calculate a value a for every public
key ai = hash(pki , pk1 , pk2 , pk3 ) and then calculate an aggregated public key pk =
a1 × pk1 + a2 × pk2 + a3 × pk3 . Then we generate a membership key for every i Mi =
(a1 · sk1 ) × H(pk, i) + (a2 · sk2 ) × H(pk, i) + (a3 · sk3 ) × H(pk, i). This membership key
fulfills this equation e(G, Mi ) = e(pk, H(pk, i)).
To sign the message we calculate the signatures σ1 = sk1 × H(pk, m) + M1 and
σ2 = sk2 × H(P, m) + M2 and aggregate them (σ 0 , pk 0 ) = (σ1 + σ2 , pk1 + pk2 ).
To verify this we need to check e(G, σ 0 ) = e(pk 0 , H(pk, m)) · e(pk, H(pk, 1) + H(pk, 2))
3.5 Correlation
If a secret key, public key and signature correlate to each other they also correlate if the
same arithmetic operations are applied to all of them. Aggregation is one form of corre-
lation but it also can be more complicated like polynomial evaluation or interpolation.
13
The BLS Signature Scheme
14
The BLS Signature Scheme
5 Conclusion
As a conclusion we can see that BLS has some interesting uses for cryptocurrencies, but
sometimes not without some drawbacks. In case of signature aggregation it is a trade-
off between storage needed for the signature and computation time of the signatures.
Also this field of cryptography is still very young and some more formal verification of
the cryptographic properties may be needed. As of now there are just two known safe
pairing functions, the Tate- and the Weil-Pairing.
References
[DBL04] H. Shacham D. Boneh and B. Lynn. Short signatures from the Weil pairing.
https://crypto.stanford.edu/~dabo/pubs/papers/weilsigs.ps. 2004.
[Cor15] Andrea Corbellini. Elliptic Curve Cryptography: a gentle introduction. https:
//andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-
a-gentle-introduction/. 2015.
[Blo18a] Alexander Block. BLS Signature Scheme. https://github.com/dashpay/
dips/blob/master/dip-0006/bls_signature_scheme.md. 2018.
[Blo18b] Alexander Block. Secret Sharing and Threshold Signatures with BLS. https:
//blog.dash.org/secret-sharing-and-threshold-signatures-with-
bls-954d1587b5f. 2018.
[Buc18] Bill Buchanan. Meet Boneh–Lynn–Shacham (BLS) signatures. https : / /
medium.com/asecuritysite-when-bob-met-alice/boneh-lynn-shacham-
bls-signatures-d053cf049aa8. 2018.
[DBN18] M. Drijvers D. Boneh and G. Neven. BLS Multi-Signatures With Public-
Key Aggregation. https://crypto.stanford.edu/~dabo/pubs/papers/
BLSmultisig.html. 2018.
[Gro18] Christian Grothoff. BTI 7261 Secure IT Infrastructure. https://grothoff.
org/christian/teaching/2018/7261/. 2018.
[Hae18] Rolf Haenni. BTI7261 Applied Cryptography: Public-Key Cryptography. https:
/ / drive . google . com / drive / folders / 1spQiHNmzsUIpLsu _ Yx7XVF5sP _
R0aBJb. 2018.
[Ste18] Stephan. BLS signatures: better than Schnorr. https://medium.com/cryptoadvance/
bls-signatures-better-than-schnorr-5a7fe30ea716. 2018.
15