fbpx
Wikipedia

BLS digital signature

A BLS digital signature, also known as Boneh–Lynn–Shacham[1] (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

The scheme uses a bilinear pairing for verification, and signatures are elements of an elliptic curve group. Working in an elliptic curve group provides some defense against index calculus attacks (with the caveat that such attacks are still possible in the target group of the pairing), allowing shorter signatures than FDH signatures for a similar level of security.

Signatures produced by the BLS signature scheme are often referred to as short signatures, BLS short signatures, or simply BLS signatures.[2] The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model assuming the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group.[1]

Pairing functions edit

A gap group is a group in which the computational Diffie–Hellman problem is intractable but the decisional Diffie–Hellman problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairings permit such groups.

Let   be a non-degenerate, efficiently computable, bilinear pairing where  ,   are groups of prime order,  . Let   be a generator of  . Consider an instance of the CDH problem,  , ,  . Intuitively, the pairing function   does not help us compute  , the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given  , we may check to see if   without knowledge of  ,  , and  , by testing whether   holds.

By using the bilinear property   times, we see that if  , then, since   is a prime order group,  .

BLS signature scheme edit

A signature scheme consists of three functions: generate, sign, and verify.[1]

Key generation

The key generation algorithm selects a random integer   such as  . The private key is  . The holder of the private key publishes the public key,  .

Signing

Given the private key  , and some message  , we compute the signature by hashing the bitstring  , as  . We output the signature  .

Verification

Given a signature   and a public key  , we verify that  .

Properties edit

  • Simple Threshold Signatures[3][better source needed]
  • Signature Aggregation: Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature.[4]
  • Unique and deterministic: for a given key and message, there is only one valid signature (like RSA PKCS1 v1.5, EdDSA and unlike RSA PSS, DSA, ECDSA and Schnorr).[citation needed]

Curves edit

BLS12-381 edit

BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott[5] (a different BLS trio, except for the L). Designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol. It is both pairing-friendly (making it efficient for digital signatures) and effective for constructing zkSnarks.[6]

Implementations edit

  • To include BLS12-381 in IETF internet encryption standards.[7]
  • Chia network has used BLS12-381 signatures.[7][8][9]
  • By 2020, BLS12-381 signatures were used extensively in version 2 (Eth2) of the Ethereum blockchain, as specified in the IETF draft BLS signature specification—for cryptographically assuring that a specific Eth2 validator has actually verified a particular transaction.[2] The use of BLS signatures in Ethereum is considered a solution to the verification bottleneck only for the medium term, as BLS signatures are not quantum secure. Over the longer term—say, 2025–2030—STARK aggregation is expected to be a drop-in replacement for BLS aggregation.[7][10]
  • Dfinity(developers of the "Internet Computer" cryptocurrency) BLS12-381 implementation.[7]
  • Algorand cryptocurrency uses BLS12-381.[7]
  • Skale cryptocurrency uses BLS12-381.[6]

See also edit

References edit

  1. ^ a b c Dan Boneh; Ben Lynn & Hovav Shacham (2004). "Short Signatures from the Weil Pairing". Journal of Cryptology. 17 (4): 297–319. CiteSeerX 10.1.1.589.9141. doi:10.1007/s00145-004-0314-9. S2CID 206885645.
  2. ^ a b "Ethereum 2.0 Phase 0 -- The Beacon Chain : BLS Signatures". GitHub. 28 July 2020. Retrieved 4 September 2020.
  3. ^ Craige, Jake (11 March 2020). "Threshold BLS Signatures". jcraige.com. Retrieved 8 August 2022.
  4. ^ D. Boneh, C. Gentry, H. Shacham, and B. Lynn Aggregate and Verifiably Encrypted Signatures from Bilinear Maps, proceedings of Eurocrypt 2003, LNCS 2656, pp. 416-432, 2003
  5. ^ Barreto, Paulo S. L. M.; Lynn, Ben; Scott, Michael (2003), "Constructing Elliptic Curves with Prescribed Embedding Degrees", Security in Communication Networks, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 257–267, ISBN 978-3-540-00420-2, retrieved 2024-02-11
  6. ^ a b "BLS12-381 For The Rest Of Us". HackMD. Retrieved 2024-02-11.
  7. ^ a b c d e Boneh, Dan; Gorbunov, Sergey; Wahby, Riad S.; Wee, Hoeteck; Wood, Christopher A.; Zhang, Zhenfei (2022-06-16). BLS Signatures (Report). Internet Engineering Task Force.
  8. ^ "5. BLS Signatures | Chia Documentation". docs.chia.net. Retrieved 2023-06-07.
  9. ^ BLS signatures
  10. ^ Drake, Justin (5 December 2019). "Pragmatic signature aggregation with BLS". ethresear.ch/. Eth research. Retrieved 8 January 2021.

External links edit

  • Summary description of the Algorand draft standard effort
  • Ben Lynn's PBC Library
  • Chia Network's BLS signatures implementation (C++)

digital, signature, also, known, boneh, lynn, shacham, cryptographic, signature, scheme, which, allows, user, verify, that, signer, authentic, scheme, uses, bilinear, pairing, verification, signatures, elements, elliptic, curve, group, working, elliptic, curve. A BLS digital signature also known as Boneh Lynn Shacham 1 BLS is a cryptographic signature scheme which allows a user to verify that a signer is authentic The scheme uses a bilinear pairing for verification and signatures are elements of an elliptic curve group Working in an elliptic curve group provides some defense against index calculus attacks with the caveat that such attacks are still possible in the target group GT displaystyle G T of the pairing allowing shorter signatures than FDH signatures for a similar level of security Signatures produced by the BLS signature scheme are often referred to as short signatures BLS short signatures or simply BLS signatures 2 The signature scheme is provably secure the scheme is existentially unforgeable under adaptive chosen message attacks in the random oracle model assuming the intractability of the computational Diffie Hellman problem in a gap Diffie Hellman group 1 Contents 1 Pairing functions 2 BLS signature scheme 3 Properties 4 Curves 4 1 BLS12 381 5 Implementations 6 See also 7 References 8 External linksPairing functions editThis section does not cite any sources Please help improve this section by adding citations to reliable sources Unsourced material may be challenged and removed August 2022 Learn how and when to remove this template message A gap group is a group in which the computational Diffie Hellman problem is intractable but the decisional Diffie Hellman problem can be efficiently solved Non degenerate efficiently computable bilinear pairings permit such groups Let e G G GT displaystyle e colon G times G rightarrow G T nbsp be a non degenerate efficiently computable bilinear pairing where G displaystyle G nbsp GT displaystyle G T nbsp are groups of prime order r displaystyle r nbsp Let g displaystyle g nbsp be a generator of G displaystyle G nbsp Consider an instance of the CDH problem g displaystyle g nbsp gx displaystyle g x nbsp gy displaystyle g y nbsp Intuitively the pairing function e displaystyle e nbsp does not help us compute gxy displaystyle g xy nbsp the solution to the CDH problem It is conjectured that this instance of the CDH problem is intractable Given gz displaystyle g z nbsp we may check to see if gz gxy displaystyle g z g xy nbsp without knowledge of x displaystyle x nbsp y displaystyle y nbsp and z displaystyle z nbsp by testing whether e gx gy e g gz displaystyle e g x g y e g g z nbsp holds By using the bilinear property x y z displaystyle x y z nbsp times we see that if e gx gy e g g xy e g g z e g gz displaystyle e g x g y e g g xy e g g z e g g z nbsp then since GT displaystyle G T nbsp is a prime order group xy z displaystyle xy z nbsp BLS signature scheme editA signature scheme consists of three functions generate sign and verify 1 Key generationThe key generation algorithm selects a random integer x displaystyle x nbsp such as 0 lt x lt r displaystyle 0 lt x lt r nbsp The private key is x displaystyle x nbsp The holder of the private key publishes the public key gx displaystyle g x nbsp SigningGiven the private key x displaystyle x nbsp and some message m displaystyle m nbsp we compute the signature by hashing the bitstring m displaystyle m nbsp as h H m displaystyle h H m nbsp We output the signature s hx displaystyle sigma h x nbsp VerificationGiven a signature s displaystyle sigma nbsp and a public key gx displaystyle g x nbsp we verify that e s g e H m gx displaystyle e sigma g e H m g x nbsp Properties editSimple Threshold Signatures 3 better source needed Signature Aggregation Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature 4 Unique and deterministic for a given key and message there is only one valid signature like RSA PKCS1 v1 5 EdDSA and unlike RSA PSS DSA ECDSA and Schnorr citation needed Curves editBLS12 381 edit BLS12 381 is part of a family of elliptic curves named after Barreto Lynn and Scott 5 a different BLS trio except for the L Designed by Sean Bowe in early 2017 as the foundation for an upgrade to the Zcash protocol It is both pairing friendly making it efficient for digital signatures and effective for constructing zkSnarks 6 Implementations editTo include BLS12 381 in IETF internet encryption standards 7 Chia network has used BLS12 381 signatures 7 8 9 By 2020 BLS12 381 signatures were used extensively in version 2 Eth2 of the Ethereum blockchain as specified in the IETF draft BLS signature specification for cryptographically assuring that a specific Eth2 validator has actually verified a particular transaction 2 The use of BLS signatures in Ethereum is considered a solution to the verification bottleneck only for the medium term as BLS signatures are not quantum secure Over the longer term say 2025 2030 STARK aggregation is expected to be a drop in replacement for BLS aggregation 7 10 Dfinity developers of the Internet Computer cryptocurrency BLS12 381 implementation 7 Algorand cryptocurrency uses BLS12 381 7 Skale cryptocurrency uses BLS12 381 6 See also editPairing based cryptographyReferences edit a b c Dan Boneh Ben Lynn amp Hovav Shacham 2004 Short Signatures from the Weil Pairing Journal of Cryptology 17 4 297 319 CiteSeerX 10 1 1 589 9141 doi 10 1007 s00145 004 0314 9 S2CID 206885645 a b Ethereum 2 0 Phase 0 The Beacon Chain BLS Signatures GitHub 28 July 2020 Retrieved 4 September 2020 Craige Jake 11 March 2020 Threshold BLS Signatures jcraige com Retrieved 8 August 2022 D Boneh C Gentry H Shacham and B Lynn Aggregate and Verifiably Encrypted Signatures from Bilinear Maps proceedings of Eurocrypt 2003 LNCS 2656 pp 416 432 2003 Barreto Paulo S L M Lynn Ben Scott Michael 2003 Constructing Elliptic Curves with Prescribed Embedding Degrees Security in Communication Networks Berlin Heidelberg Springer Berlin Heidelberg pp 257 267 ISBN 978 3 540 00420 2 retrieved 2024 02 11 a b BLS12 381 For The Rest Of Us HackMD Retrieved 2024 02 11 a b c d e Boneh Dan Gorbunov Sergey Wahby Riad S Wee Hoeteck Wood Christopher A Zhang Zhenfei 2022 06 16 BLS Signatures Report Internet Engineering Task Force 5 BLS Signatures Chia Documentation docs chia net Retrieved 2023 06 07 BLS signatures Drake Justin 5 December 2019 Pragmatic signature aggregation with BLS ethresear ch Eth research Retrieved 8 January 2021 External links editSummary description of the Algorand draft standard effort Ben Lynn s PBC Library Chia Network s BLS signatures implementation C Retrieved from https en wikipedia org w index php title BLS digital signature amp oldid 1213330297, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.