draft-irtf-cfrg-bls-signature-00.txtStanford UniversityUSAdabo@cs.stanford.eduStanford UniversityUSArsw@cs.stanford.eduAlgorand and University of WaterlooBoston, MAUSAsergey@algorand.comAlgorand and ENS, ParisBoston, MAUSAwee@di.ens.frAlgorandBoston, MAUSAzhenfei@algorand.com
InternetCFRGBLS is a digital signature scheme with compression properties.
With a given set of signatures (signature_1, ..., signature_n) anyone can produce
a compressed signature signature_compressed. The same is true for a set of
secret keys or public keys, while keeping the connection between sets
(i.e., a compressed public key is associated to its compressed secret key).
Furthermore, the BLS signature scheme is deterministic, non-malleable,
and efficient. Its simplicity and cryptographic properties allows it
to be useful in a variety of use-cases, specifically when minimal
storage space or bandwidth are required.A signature scheme is a fundamental cryptographic primitive
that is used to protect authenticity and integrity of communication.
Only the holder of a secret key can sign messages, but anyone can
verify the signature using the associated public key.Signature schemes are used in point-to-point secure communication
protocols, PKI, remote connections, etc.
Designing efficient and secure digital signature is very important
for these applications.This document describes the BLS signature scheme. The scheme enjoys a variety
of important efficiency properties:The public key and the signatures are encoded as single group elements.Verification requires 2 pairing operations.A collection of signatures (signature_1, ..., signature_n) can be compressed
into a single signature (signature). Moreover, the compressed signature can
be verified using only n+1 pairings (as opposed to 2n pairings, when verifying
n signatures separately).Given the above properties,
the scheme enables many interesting applications.
The immediate applications includeauthentication and integrity for Public Key Infrastructure (PKI) and blockchains.
The usage is similar to classical digital signatures, such as ECDSA.compressing signature chains for PKI and Secure Border Gateway Protocol (SBGP).
Concretely, in a PKI signature chain of depth n, we have n signatures by n
certificate authorities on n distinct certificates. Similarly, in SBGP,
each router receives a list of n signatures attesting to a path of length n
in the network. In both settings, using the BLS signature scheme would allow us
to compress the n signatures into a single signature.consensus protocols for blockchains.
There, BLS signatures
are used for authenticating transactions as well as votes during the consensus
protocol, and the use of aggregation significantly reduces the bandwidth
and storage requirements.The following comparison assumes BLS signatures with curve BLS12-381, targeting
128 bits security.For 128 bits security, ECDSA takes 37 and 79 micro-seconds to sign and verify
a signature on a typical laptop. In comparison, for the same level of security,
BLS takes 370 and 2700 micro-seconds to sign and verify
a signature.In terms of sizes, ECDSA uses 32 bytes for public keys and 64 bytes for signatures;
while BLS uses 96 bytes for public keys, and 48 bytes for signatures.
Alternatively, BLS can also be instantiated with 48 bytes of public keys and 96 bytes
of signatures.
BLS also allows for signature compression. In other words, a single signature is
sufficient to anthenticate multiple messages and public keys.This document is organized as follows:The remainder of this section defines terminology and the high-level API. defines primitive operations used in the BLS signature scheme.
These operations MUST NOT be used alone. defines three BLS Signature schemes giving slightly different
security and performance properties. defines the format for a ciphersuites and gives recommended ciphersuites.The appendices give test vectors, etc.The following terminology is used through this document:SK: The secret key for the signature scheme.PK: The public key for the signature scheme.message: The input to be signed by the signature scheme.signature: The digital signature output.aggregation: Given a list of signatures for a list of messages and public keys,
an aggregation algorithm generates one signature that authenticates the same
list of messages and public keys.rogue key attack:
An attack in which a specially crafted public key (the "rogue" key) is used
to forge an aggregated signature.
specifies methods for securing against rogue key attacks.The following notation and primitives are used:a || b denotes the concatenation of octet strings a and b.A pairing-friendly elliptic curve defines the following primitives
(see for detailed discussion):
E1, E2: elliptic curve groups defined over finite fields.
This document assumes that E1 has a more compact representation than
E2, i.e., because E1 is defined over a smaller field than E2.G1, G2: subgroups of E1 and E2 (respectively) having prime order r.P1, P2: distinguished points that generate of G1 and G2, respectively.GT: a subgroup, of prime order r, of the multiplicative group of a field extension.e : G1 x G2 -> GT: a non-degenerate bilinear map.For the above pairing-friendly curve, this document
writes operations in E1 and E2 in additive notation, i.e.,
P + Q denotes point addition and x * P denotes scalar multiplication.
Operations in GT are written in multiplicative notation, i.e., a * b
is field multiplication.For each of E1 and E2 defined by the above pairing-friendly curve,
we assume that the pairing-friendly elliptic curve definition provides
several primitives, described below.
Note that these primitives are named generically.
When referring to one of these primitives for a specific group,
this document appends the name of the group, e.g.,
point_to_octets_E1, subgroup_check_E2, etc.
point_to_octets(P) -> ostr: returns the canonical representation of
the point P as an octet string.
This operation is also known as serialization.octets_to_point(ostr) -> P: returns the point P corresponding to the
canonical representation ostr, or INVALID if ostr is not a valid output
of point_to_octets.
This operation is also known as deserialization.subgroup_check(P) -> VALID or INVALID: returns VALID when the point P
is an element of the subgroup of order r, and INVALID otherwise.
This function can always be implemented by checking that r * P is equal
to the identity element. In some cases, faster checks may also exist,
e.g., .I2OSP and OS2IP are the functions defined in , Section 4.hash_to_point(ostr) -> P: a cryptographic hash function that takes as input an
arbitrary octet string and returns a point on an elliptic curve.
Functions of this kind are defined in .
Each of the ciphersuites in specifies the hash_to_point
algorithm to be used.The BLS signature scheme defines the following API:KeyGen(IKM) -> PK, SK: a key generation algorithm that
takes as input an octet string comprising secret keying material,
and outputs a public key PK and corresponding secret key SK.Sign(SK, message) -> signature: a signing algorithm that generates a
deterministic signature given a secret key SK and a message.Verify(PK, message, signature) -> VALID or INVALID:
a verification algorithm that outputs VALID if signature is a valid
signature of message under public key PK, and INVALID otherwise.Aggregate(signature_1, ..., signature_n) -> signature:
an aggregation algorithm that compresses a collection of signatures
into a single signature.AggregateVerify((PK_1, message_1), ..., (PK_n, message_n), signature) -> VALID or INVALID:
an aggregate verification algorithm that outputs VALID if signature
is a valid aggregated signature for a collection of public keys and messages,
and outputs INVALID otherwise.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .This section defines core operations used by the schemes defined in .
These operations MUST NOT be used except as described in that section.Each core operation has two variants that trade off signature
and public key size:Minimal-signature-size: signatures are points in G1,
public keys are points in G2.
(Recall from that E1 has a more compact representation than E2.)Minimal-pubkey-size: public keys are points in G1,
signatures are points in G2.
Implementations using signature aggregation SHOULD use this approach,
since the size of (PK_1, ..., PK_n, signature) is dominated by
the public keys even for small n.The core operations in this section depend on several parameters:A signature variant, either minimal-signature-size or minimal-pubkey-size.
These are defined in .A pairing-friendly elliptic curve, plus associated functionality
given in .H, a hash function H that MUST be a secure cryptographic hash function,
e.g., SHA-256 .
For security, H MUST output at least ceil(log2(r)) bits, where r is
the order of the subgroups G1 and G2 defined by the pairing-friendly
elliptic curve.hash_to_point, a function whose interface is described in .
When the signature variant is minimal-signature-size, this function
MUST output a point in G1.
When the signature variant is minimal-pubkey size, this function
MUST output a point in G2.
For security, this function MUST be either a random oracle encoding or a
nonuniform encoding, as defined in .In addition, the following primitives are determined by the above parameters:P, an elliptic curve point.
When the signature variant is minimal-signature-size, P is the
distinguished point P2 that generates the group G2 (see ).
When the signature variant is minimal-pubkey-size, P is the
distinguished point P1 that generates the group G1.r, the order of the subgroups G1 and G2 defined by the pairing-friendly curve.pairing, a function that invokes the function e of ,
with argument order depending on signature variant:
For minimal-signature-size:
pairing(U, V) := e(U, V)For minimal-pubkey-size:
pairing(U, V) := e(V, U)point_to_pubkey and point_to_signature, functions that invoke the
appropriate serialization routine () depending on
signature variant:
For minimal-signature-size:
point_to_pubkey(P) := point_to_octets_E2(P)
point_to_signature(P) := point_to_octets_E1(P)For minimal-pubkey-size:
point_to_pubkey(P) := point_to_octets_E1(P)
point_to_signature(P) := point_to_octets_E2(P)pubkey_to_point and signature_to_point, functions that invoke the
appropriate deserialization routine () depending on
signature variant:
For minimal-signature-size:
pubkey_to_point(ostr) := octets_to_point_E2(ostr)
signature_to_point(ostr) := octets_to_point_E1(ostr)For minimal-pubkey-size:
pubkey_to_point(ostr) := octets_to_point_E1(ostr)
signature_to_point(ostr) := octets_to_point_E2(ostr)pubkey_subgroup_check and signature_subgroup_check, functions
that invoke the appropriate subgroup check routine ()
depending on signature variant:
For minimal-signature-size:
pubkey_subgroup_check(P) := subgroup_check_E2(P)
signature_subgroup_check(P) := subgroup_check_E1(P)For minimal-pubkey-size:
pubkey_subgroup_check(P) := subgroup_check_E1(P)
signature_subgroup_check(P) := subgroup_check_E2(P)The KeyGen algorithm generates a pair (PK, SK) deterministically using
the secret octet string IKM.KeyGen uses HKDF instantiated with the hash function H.For security, IKM MUST be infeasible to guess, e.g.,
generated by a trusted source of randomness.
IKM MUST be at least 32 bytes long, but it MAY be longer.Because KeyGen is deterministic, implementations MAY choose either to
store the resulting (PK, SK) or to store IKM and call KeyGen to derive
the keys when necessary.The KeyValidate algorithm ensures that a public key is valid.The CoreSign algorithm computes a signature from SK, a secret key,
and message, an octet string.The CoreVerify algorithm checks that a signature is valid for
the octet string message under the public key PK.The public key PK must satisfy KeyValidate(PK) == VALID ().The Aggregate algorithm compresses multiple signatures into one.The CoreAggregateVerify algorithm checks an aggregated signature
over several (PK, message) pairs.All public keys PK_i must satisfy KeyValidate(PK_i) == VALID
().This section defines three signature schemes: basic, message augmentation,
and proof of possession.
These schemes differ in the ways that they defend against rogue key
attacks ().All of the schemes in this section are built on a set of core operations
defined in .
Thus, defining a scheme requires fixing a set of parameters as
defined in .All three schemes expose the KeyGen and Aggregate operations
that are defined in .
The sections below define the other API functions ()
for each scheme.In a basic scheme, rogue key attacks are handled by requiring
all messages signed by an aggregate signature to be distinct.
This requirement is enforced in the definition of AggregateVerify.The Sign and Verify functions are identical to CoreSign and
CoreVerify (), respectively.
AggregateVerify is defined below.All public keys PK supplied as arguments to Verify and AggregateVerify
MUST satisfy KeyValidate(PK) == VALID ().This function first ensures that all messages are distinct, and then
invokes CoreAggregateVerify.In a message augmentation scheme, signatures are generated
over the concatenation of the public key and the message,
ensuring that messages signed by different public keys are
distinct.All public keys PK supplied as arguments to Verify and AggregateVerify
MUST satisfy KeyValidate(PK) == VALID ().To match the API for Sign defined in , this function
recomputes the public key corresponding to the input SK.
Implementations MAY instead implement an interface that takes
the public key as an input.Note that the point P and the point_to_pubkey function are
defined in .A proof of possession scheme uses a separate public key
validation step, called a proof of possession, to defend against
rogue key attacks.
This enables an optimization to aggregate signature verification
for the case that all signatures are on the same message.The Sign, Verify, and AggregateVerify functions
are identical to CoreSign, CoreVerify, and CoreAggregateVerify
(), respectively.
In addition, a proof of possession scheme defines three functions beyond
the standard API ():PopProve(SK) -> proof: an algorithm that generates a proof of possession
for the public key corresponding to secret key SK.PopVerify(PK, proof) -> VALID or INVALID:
an algorithm that outputs VALID if proof is valid for PK, and INVALID otherwise.FastAggregateVerify(PK_1, ..., PK_n, message, signature) -> VALID or INVALID:
a verification algorithm for the aggregate of multiple signatures on
the same message.
This function is faster than AggregateVerify.All public keys used by Verify, AggregateVerify, and FastAggregateVerify
MUST be accompanied by a proof of possession generated by PopProve,
and the result of PopVerify on this proof MUST be VALID.In addition to the parameters required to instantiate the core operations
(), a proof of possession scheme requires one further parameter:hash_pubkey_to_point(PK) -> P: a cryptographic hash function that takes as
input a public key and outputs a point in the same subgroup as the
hash_to_point algorithm used to instantiate the core operations.
For security, this function MUST be orthogonal to the hash_to_point function.
In addition, this function MUST be either a random oracle encoding or a
nonuniform encoding, as defined in .
The RECOMMENDED way of instantiating hash_pubkey_to_point is to use
the same hash-to-curve function as hash_to_point, with a
different domain separation tag (see , Section 5.1).This function recomputes the public key coresponding to the input SK.
Implementations MAY instead implement an interface that takes the
public key as input.Note that the point P and the point_to_pubkey and point_to_signature
functions are defined in .
The hash_pubkey_to_point function is defined in .Note that the following uses several functions defined in .
The hash_pubkey_to_point function is defined in .Note that the following uses several functions defined in .This section defines the format for a BLS ciphersuite.
It also gives concrete ciphersuites based on the BLS12-381 pairing-friendly
elliptic curve .A ciphersuite specifies all parameters from ,
a scheme from , and any parameters the scheme requires.
In particular, a ciphersuite comprises:ID: the ciphersuite ID, an ASCII string. The RECOMMENDED format for
this string is
"BLS_SIG_" || H2C_SUITE || "_" || SC_TAG || "_"
strings in double quotes are literal ASCII octet sequencesH2C_SUITE is the name of the hash-to-curve ciphersuite
used to define the hash_to_point and hash_pubkey_to_point
functions.SC_TAG SHOULD be "NUL" when SC is basic,
"AUG" when SC is message-augmentation, or
"POP" when SC is proof-of-possession.SC: the scheme, either basic, message-augmentation, or proof-of-possession.SV: the signature variant, either minimal-signature-size or
minimal-pubkey-size.EC: a pairing-friendly elliptic curve, plus all associated functionality
().H: a cryptographic hash function.hash_to_point: a hash from arbitrary strings to elliptic curve points.
It is RECOMMENDED that hash_to_point be defined in terms of a
hash-to-curve suite with domain separation tag equal
to the ID string.hash_pubkey_to_point (only specified when SC is proof-of-possession):
a hash from serialized public keys to elliptic curve points.
It is RECOMMENDED that hash_pubkey_to_point be defined in terms of a
has-to-curve suite , with domain separation tag
constructed similarly to the ID string, namely:
"BLS_POP_" || H2C_SUITE || "_" || SC_TAG || "_"The following ciphersuites are all built on the BLS12-381 elliptic curve.
The required primitives for this curve are given in .These ciphersuites use the hash-to-curve suites BLS12381G1-SHA256-SSWU-RO-
and BLS12381G2-SHA256-SSWU-RO- defined in .
Each ciphersuite defines a unique hash_to_point function by specifying
a domain separation tag (see [@I-D.irtf-cfrg-hash-to-curve, Section 5.1).The ciphersuite with ID
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_NUL_
uses the following parameters, in addition to the common parameters below.SV: minimal-signature-sizehash_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_NUL_The ciphersuite with ID
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_
uses the following parameters, in addition to the common parameters below.SV: minimal-pubkey-sizehash_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_The above ciphersuites share the following common parameters:SC: basicEC: BLS12-381, as defined in .H: SHA-256The ciphersuite with ID
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_AUG_
uses the following parameters, in addition to the common parameters below.SV: minimal-signature-sizehash_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_AUG_The ciphersuite with ID
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_AUG_
uses the following parameters, in addition to the common parameters below.SV: minimal-pubkey-sizehash_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_AUG_The above ciphersuites share the following common parameters:SC: message-augmentationEC: BLS12-381, as defined in .H: SHA-256The ciphersuite with ID
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_POP_
uses the following parameters, in addition to the common parameters below.SV: minimal-signature-sizehash_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_POP_hash_pubkey_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_POP_BLS12381G1-SHA256-SSWU-RO-_POP_The ciphersuite with ID
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_
uses the following parameters, in addition to the common parameters below.SV: minimal-pubkey-sizehash_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_hash_pubkey_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag
BLS_POP_BLS12381G2-SHA256-SSWU-RO-_POP_The above ciphersuites share the following common parameters:SC: proof-of-possessionEC: BLS12-381, as defined in .H: SHA-256All algorithms in and that operate on public keys
require first validating these keys.
For the basic and message augmentation schemes, the use of KeyValidate
is REQUIRED.
For the proof of possession scheme, each public key MUST be accompanied by
a proof of possession, and use of PopVerify is REQUIRED.Note that implementations MAY cache validation results for public keys
in order to avoid unnecessarily repeating validation for known keys.Some existing implementations skip the signature_subgroup_check invocation
in CoreVerify (), whose purpose is ensuring that the signature
is an element of a prime-order subgroup.
This check is REQUIRED of conforming implementations, for two reasons.For most pairing-friendly elliptic curves used in practice, the pairing
operation e () is undefined when its input points are not
in the prime-order subgroups of E1 and E2.
The resulting behavior is unpredictable, and may enable forgeries.Even if the pairing operation behaves properly on inputs that are outside
the correct subgroups, skipping the subgroup check breaks the strong
unforgeability property.Implementations of the signing algorithm SHOULD protect the secret key
from side-channel attacks.
One method for protecting against certain side-channel attacks is ensuring
that the implementation executes exactly the same sequence of
instructions and performs exactly the same memory accesses, for any
value of the secret key.
In other words, implementations on the underlying pairing-friendly elliptic
curve SHOULD run in constant time.BLS signatures are deterministic. This protects against attacks
arising from signing with bad randomness, for example, the nonce reuse
attack on ECDSA .As discussed in , the IKM input to KeyGen MUST be infeasible
to guess and MUST be kept secret.
One possibility is to generate IKM from a trusted source of randonmess.
Guidelines on constructing such a source are outside the scope of this
document.The security analysis models hash_to_point and hash_pubkey_to_point
as random oracles.
It is crucial that these functions are implemented using a cryptographically
secure hash function.
For this purpose, implementations MUST meet the requirements of
.In addition, ciphersuites MUST specify unique domain separation tags
for hash_to_point and hash_pubkey_to_point.
The domain separation tag format used in is the RECOMMENDED one.This section will be removed in the final version of the draft.
There are currently several implementations of BLS signatures using the BLS12-381 curve.Algorand: bls_sigs_refChia: specpython/C++. Here, they are
swapping G1 and G2 so that the public keys are small, and the benefits
of avoiding a membership check during signature verification would even be more
substantial. The current implementation does not seem to implement the membership check.
Chia uses the Fouque-Tibouchi hashing to the curve, which can be done in constant time.Dfinity: goBLS. The current implementations do not seem to implement the membership check.Ethereum 2.0: specPairing-friendly curves draft-yonezawa-pairing-friendly-curvesPairing-based Identity-Based Encryption IEEE 1363.3.Identity-Based Cryptography Standard rfc5901.Hashing to Elliptic Curves draft-irtf-cfrg-hash-to-curve-04, in order to implement the hash function hash_to_point.EdDSA rfc8032TBD (consider to register ciphersuite identifiers for BLS signature and underlying
pairing curves)BLS12-381Electric Coin CompanyAggregate and verifiably encrypted signatures from bilinear mapsStanford UniversityStanford UniversityStanford UniversityStanford UniversityThreshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature SchemeUniversity of California, San DiegoFaster subgroup checks for BLS12-381Electric Coin CompanyMining your Ps and Qs: Detection of widespread weak keys in network devicesUniversity of California, San DiegoThe University of MichiganThe University of MichiganThe University of MichiganUnrestricted aggregate signaturesUniversity of California, San DiegoThammasat UniversityKatholieke Universiteit LeuvenCompact multi-signatures for shorter blockchainsStanford UniversityDFINITYETH ZurichFIPS Publication 180-4: Secure Hash StandardNational Institute of Standards and Technology (NIST)The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key AttacksUniversity of California, San DiegoUniversity of California, San DiegoShort signatures from the Weil pairingStanford UniversityStanford UniversityStanford UniversitySequential Aggregate Signatures and Multisignatures Without Random OraclesUniversity of California, Los AngelesUniversity of California, Los AngelesUniversity of California, Los AngelesWeizmann InstituteSRI InternationalThe ciphersuites in are based upon the BLS12-381
pairing-friendly elliptic curve.
The following defines the correspondence between the primitives
in and the parameters given in Section 4.2.2 of
.E1, G1: the curve E and its order-r subgroup.E2, G2: the curve E' and its order-r subgroup.GT: the subgroup G_T.P1: the point BP.P2: the point BP'.e: the optimal Ate pairing defined in Appendix A of
.point_to_octets and octets_to_point use the compressed
serialization formats for E1 and E2 defined by .subgroup_check MAY use either the naive check described
in or the optimized check given by .TBA: (i) test vectors for both variants of the signature scheme
(signatures in G2 instead of G1) , (ii) test vectors ensuring
membership checks, (iii) intermediate computations ctr, hm.The security properties of the BLS signature scheme are proved in . prove the security of aggregate signatures over distinct messages,
as in the basic scheme of . prove security of the message augmentation scheme of . prove security of constructions related to the proof
of possession scheme of . prove the security of another rogue key defense; this
defense is not standardized in this document.