Skip to content

BLS Signature

Table of contents

Open Table of contents

What it is

The BLS Signature scheme is a digital signature algorithm that uses Elliptic Curve Pairings as a building block to generate very small signatures for arbitrary messages.

BLS Signatures furthermore exhibit desirable properties such as the ability to aggregate signatures to implement collaborative signing, no dependency on randomness during signing and its potential to be used in Zero-Knowledge Proof constructions.

How it works

As a prerequisite, it’s very useful to have some familiarity with Elliptic Curve Pairings before moving on to study BLS Signatures.

Recall that an Elliptic Curve Pairing maps two Elliptic Curve points from two Elliptic Curves to an element in another group:

e:E1×E2Fe: E_1 \times E_2 \rightarrow \mathbb{F}

Here, ee is the pairing, E1E_1 and E2E_2 are the Elliptic Curves and F\mathbb{F} is a finite field.

Also remember that an Elliptic Curve Pairing comes with specific properties called bilinear mappings, two of which are important for the rest of this post:

e(P+Q,R)=e(P,R)e(Q,R)e(aP,bQ)=e(P,Q)ab\begin{aligned} e(P + Q, R) &= e(P, R)e(Q, R) \\ e(aP, bQ) &= e(P, Q)^{ab} \end{aligned}

where PP, QQ and RR are Elliptic Curve points and aZa \in \mathbb{Z}, bZb \in \mathbb{Z}.

In our example we have two participants, Alice and Bob. Alice will sign a message which in turn will be verified by Bob.

Furthermore we’ll be working with the Elliptic Curve EE that is of order qq and has a generator GG. The Elliptic Curve Pairing on such curve will be called ee.

We also assume that HH is a cryptographic hash function that maps a message mm to a uniformly random looking value.

As a first step, Alice generates here private key xx by sampling a random value from Zq\mathbb{Z}_q:

x$Zqx \overset{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_q

She then generates here public key XX by multiplying her private key with the generator GG:

X=xGX = xG

Once done, Alice hashes the message mm which results in a value that can be interpreted a point pp on the Elliptic Curve EE:

p=H(m)p = H(m)

To generate a signature for the message mm, Alice multiplies her private key xx by the value that the hash of the message resulted in:

σ=xH(m)\sigma = xH(m)

Alice then sends the signature σ\sigma alongside her public key XX to Bob for verification.

Bob verifies the signature σ\sigma on the message mm by checking if:

e(H(m),X)=?e(σ,G)e(H(m), X) \overset{?}{=} e(\sigma, G)

BLS Signature

Why it works

The first thing to note is that the result returned by the hash function HH can be interpreted as a point on the Elliptic Curve EE. The hash value can therefore be used in an Elliptic Curve Pairing.

Using the aforementioned bilinear mapping, we can see that:

e(H(m),X)=?e(σ,G)=e(xH(m),G)=e(H(m),G)x=e(H(m),xG)=e(H(m),X)\begin{aligned} e(H(m), X) &\overset{?}{=} e(\sigma, G) \\ &= e(xH(m), G) \\ &= e(H(m), G)^{x} \\ &= e(H(m), xG) \\ &= e(H(m), X) \end{aligned}

Additional Resources