BLS Signature for Busy People

BLS_Signature.md

BLS Signature for Busy People

Summary

• BLS stands for

  • Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve.
  • Boneh-Lynn-Shacham: A Signature Scheme.

• Signature Aggregation

  • It is possible to verify n aggregate signatures on the same message with just 2 pairings instead of n+1.

• Secure enclaves to provide the following APIs

  • Private Key generation
    • https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-2.3
    • Now, in practical terms, you may want to generate your keys in a separate ceremony, and create a procedure to add them into your device.
  • Public Key computation (pk X G)
    • Where pk is the private key, X is the group multiplication, and G is the generator.
  • Sign(pk, message)
    • https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-2.5

• BLS Relies on Bilinear Pairing

  • Expensive. Now, given that we are signing the same message, this scheme requires only 2 pairings per validation.

• Sizes

  • Private Keys: 32 Bytes.
  • Public Keys: 48 Bytes.
  • Signatures: 96 Bytes.

Discussion

BLS12-381 facts

• BLS12-381 is not a single curve, but a family of curves instantiated over different field extensions.
• The 12 stands for the Embedding degree.
  • https://www.quora.com/What-does-the-embedding-degree-in-elliptic-curve-represent-and-what-is-the-impact-of-its-values-on-the-curve-and-security
• The 381 means that the prime in the finite field F_p is of 381 bits, i.e. 2^381 points.

Sizes

Private Keys: 32 Bytes.

• The private key is just a scalar that your raise curve points to the power of. The subgroup order for G1 and G2 is r~2^255, so for private keys higher than this the point just wraps around. Therefore, useful private keys are <2^255 and fit into 32 bytes.
• Recall that r is defined here: https://electriccoin.co/blog/new-snark-curve/

Public Keys: 48 Bytes.

• 381 bit affine x coordinate, encoded into 48 big-endian bytes.
• See also https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#custom-types

Signatures: 96 Bytes.

• Two 381 bit integers (affine x coordinate), encoded into two 48 big-endian byte arrays.
• The signature is a point on the G2 subgroup, which is defined over a finite field with elements twice as big as the G1 curve (G2 is over Fq2 rather than Fq. Fq2 is analogous to the complex numbers).
• See also https://github.com/ethereum/eth2.0-specs/blob/dev/specs/core/0_beacon-chain.md#custom-types

Bilinear pairings

A relative expensive calculation that satisfies the following properties.

e(P, Q + R) = e(P,Q) x e(P,R)
e(P + S, Q) = e(P,Q) x e(S,Q)

P, Q and R to be points within the elliptic curve. Operations + and x can be arbitrary operators.

It follows that we can say from these properties that

e(aP, Q) =

e(P + P + ... + P, Q) = e(P,Q) x ... x e(P,Q)

e(aP,Q) = e(P,Q) ^ a = e(P, aQ)

or

e(SUM(n)(Pi), Q) = MUL(n)(e(Pi, Q))

Signature and Verification

• Signature

S = pk x H(m)

That's all. One group multiplication.

• Verification

People will have P = pk x G, they can verify the signature by comparing the following pairings:

e(P, H(m)) = e(G,S)

This works, due to the fact that

e(P, H(m)) = e(pk x G, H(m))
           = e(G, pk x H(m))
           = e(G, S)

Signature Aggregation

If we have S = SUM(n)(Si), then

e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))

Now, remember that e(G, S) = e(P, H(m)), so

MUL(n)(e(G, Si)) = MUL(n)(e(Pi, H(mi)))

Further Reading

Standards / Specs

• BLS Standard Draft
  • https://github.com/cfrg/draft-irtf-cfrg-bls-signature
  • https://github.com/cfrg/draft-irtf-cfrg-bls-signature/blob/master/draft-irtf-cfrg-bls-signature-00.txt
• Ethereum 2.0 Spec for BLS signature verification
  • https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#bls-signatures
  • https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04
• Sean Bowe - New zk-SNARK curve (2017.03.11)
  • https://electriccoin.co/blog/new-snark-curve/

Papers

• Boneh, Lynn, Shacham - Short signatures from the Weil pairing
  • https://www.iacr.org/archive/asiacrypt2001/22480516.pdf
• Boneh, Drijvers, Neven - Compact Multi-Signatures for Smaller Blockchains
  • https://eprint.iacr.org/2018/483.pdf
• Ben Lynn - On the Implementation of Pairing-Based Cryptosystems
  • https://crypto.stanford.edu/pbc/thesis.pdf
• Boneh, Gentry, Lynn, Shacham - Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
  • http://crypto.stanford.edu/~dabo/papers/aggreg.pdf
• Craig Costello - Pairing for Beginners
  • http://www.craigcostello.com.au/pairings/PairingsForBeginners.pdf
• Victor S. Miller - Short Programs for functions on Curves
  • https://crypto.stanford.edu/miller/miller.pdf
• Michael Naehrig - Constructive and Computational Aspects of Cryptographic Pairings
  • https://cryptosith.org/michael/data/thesis/2009-05-13-diss.pdf
• Barreto, Naehrig - Pairing-Friendly Elliptic Curves of Prime Order
  • https://cryptojedi.org/papers/pfcpo.pdf

Articles / Posts

• Ben Edgington - BLS12-381 For The Rest Of Us
  • https://hackmd.io/@benjaminion/H1lkISO3JU
• Justin Drake - Proposal in Ethereum Research to use BLS Signature
  • https://ethresear.ch/t/pragmatic-signature-aggregation-with-bls/2105
• ORBS - Threshold Cryptography and Distributed Key Generation
  • https://www.orbs.com/wp-content/uploads/2018/07/Threshold-Cryptography-and-Digital-Key-Distribution.pdf
• Yonezawa, Saito, Kobayashi - Pairing-Friendly Curves
  • https://datatracker.ietf.org/meeting/105/materials/slides-105-cfrg-pairing-friendly-curves
• Vitalik Buterin - Exploring Elliptic Curve Pairings
  • https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627

Implementations

• BLS, Java Implementation
  • https://github.com/PegaSysEng/artemis/tree/master/util/src/main/java/tech/pegasys/artemis/util/bls
• BLS, Rust Implementation
  • https://github.com/lovesh/signature-schemes
• BLS, Go language Implementations
  • https://github.com/kilic/bls12-381
  • https://github.com/phoreproject/bls
    • Miller Loop
    • https://github.com/phoreproject/bls/blob/009ada0beb4120ff98ec7ee4bcd394fee6358742/pairing.go
• BLS, Javascript Implementation
  • https://github.com/paulmillr/noble-curves
• BLS, C++ Implementation
  • https://github.com/skalenetwork/libBLS
    • General Library. Leverages libff and Ben Lynn's pbc.
    • Interface enables to add the BLS12-381 curve parameters.

Notes

• Thanks a lot to @benjaminion !!!

Awesome gist, thank you! Still relevant in 2023!

The ETH specs have moved around a bit so the links aren't valid anymore:

• https://github.com/ethereum/eth2.0-specs/blob/dev/specs/core/0_beacon-chain.md#custom-types should be https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#custom-types
• https://github.com/ethereum/eth2.0-specs/blob/dev/specs/bls_signature.md: file was deleted in this commit, so the correct link could be this one, or more likely a link to the IETF draft directly: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04

Thanks, updated.