-
BLS stands for
- Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve.
- Boneh-Lynn-Shacham: A Signature Scheme.
-
Signature Aggregation
- It is possible to verify
n
aggregate signatures on the same message with just2
pairings instead ofn+1
.
- It is possible to verify
-
Secure enclaves to provide the following APIs
- Private Key generation
- https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-2.3
- Now, in practical terms, you may want to generate your keys in a separate ceremony, and create a procedure to add them into your device.
- Public Key computation (
pk X G
)- Where
pk
is the private key,X
is the group multiplication, andG
is the generator.
- Where
Sign(pk, message)
- Private Key generation
-
BLS Relies on Bilinear Pairing
- Expensive. Now, given that we are signing the same message, this scheme requires only 2 pairings per validation.
-
Sizes
- Private Keys: 32 Bytes.
- Public Keys: 48 Bytes.
- Signatures: 96 Bytes.
- BLS12-381 is not a single curve, but a family of curves instantiated over different field extensions.
- The 12 stands for the Embedding degree.
- The 381 means that the prime in the finite field
F_p
is of 381 bits, i.e. 2^381 points.
- The private key is just a scalar that your raise curve points to the power of. The subgroup order for G1 and G2 is
r~2^255
, so for private keys higher than this the point just wraps around. Therefore, useful private keys are<2^255
and fit into 32 bytes. - Recall that
r
is defined here: https://electriccoin.co/blog/new-snark-curve/
- 381 bit affine x coordinate, encoded into 48 big-endian bytes.
- See also https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#custom-types
- Two 381 bit integers (affine x coordinate), encoded into two 48 big-endian byte arrays.
- The signature is a point on the G2 subgroup, which is defined over a finite field with elements twice as big as the G1 curve (G2 is over Fq2 rather than Fq. Fq2 is analogous to the complex numbers).
- See also https://github.com/ethereum/eth2.0-specs/blob/dev/specs/core/0_beacon-chain.md#custom-types
A relative expensive calculation that satisfies the following properties.
e(P, Q + R) = e(P,Q) x e(P,R)
e(P + S, Q) = e(P,Q) x e(S,Q)
P
, Q
and R
to be points within the elliptic curve. Operations +
and x
can be arbitrary operators.
It follows that we can say from these properties that
e(aP, Q) =
e(P + P + ... + P, Q) = e(P,Q) x ... x e(P,Q)
e(aP,Q) = e(P,Q) ^ a = e(P, aQ)
or
e(SUM(n)(Pi), Q) = MUL(n)(e(Pi, Q))
- Signature
S = pk x H(m)
That's all. One group multiplication.
- Verification
People will have P = pk x G
, they can verify the signature by comparing the following pairings:
e(P, H(m)) = e(G,S)
This works, due to the fact that
e(P, H(m)) = e(pk x G, H(m))
= e(G, pk x H(m))
= e(G, S)
If we have S = SUM(n)(Si)
, then
e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
Now, remember that e(G, S) = e(P, H(m))
, so
MUL(n)(e(G, Si)) = MUL(n)(e(Pi, H(mi)))
- BLS Standard Draft
- Ethereum 2.0 Spec for BLS signature verification
- Sean Bowe - New zk-SNARK curve (2017.03.11)
- Boneh, Lynn, Shacham - Short signatures from the Weil pairing
- Boneh, Drijvers, Neven - Compact Multi-Signatures for Smaller Blockchains
- Ben Lynn - On the Implementation of Pairing-Based Cryptosystems
- Boneh, Gentry, Lynn, Shacham - Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
- Craig Costello - Pairing for Beginners
- Victor S. Miller - Short Programs for functions on Curves
- Michael Naehrig - Constructive and Computational Aspects of Cryptographic Pairings
- Barreto, Naehrig - Pairing-Friendly Elliptic Curves of Prime Order
- Ben Edgington - BLS12-381 For The Rest Of Us
- Justin Drake - Proposal in Ethereum Research to use BLS Signature
- ORBS - Threshold Cryptography and Distributed Key Generation
- Yonezawa, Saito, Kobayashi - Pairing-Friendly Curves
- Vitalik Buterin - Exploring Elliptic Curve Pairings
- BLS, Java Implementation
- BLS, Rust Implementation
- BLS, Go language Implementations
- BLS, Javascript Implementation
- BLS, C++ Implementation
- https://github.com/skalenetwork/libBLS
- General Library. Leverages libff and Ben Lynn's pbc.
- Interface enables to add the
BLS12-381
curve parameters.
- https://github.com/skalenetwork/libBLS
- Thanks a lot to @benjaminion !!!
Awesome gist, thank you! Still relevant in 2023!
The ETH specs have moved around a bit so the links aren't valid anymore:
https://github.com/ethereum/eth2.0-specs/blob/dev/specs/core/0_beacon-chain.md#custom-types
should be https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#custom-typeshttps://github.com/ethereum/eth2.0-specs/blob/dev/specs/bls_signature.md
: file was deleted in this commit, so the correct link could be this one, or more likely a link to the IETF draft directly: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04