## Table of contents

## Open Table of contents

## What it is

Sometimes multiple signatures have to be validated at once which would usually be carried out by validating one signature after the other.

Doing this can be slow and resource intensive as the same mathematical operations have to be carried out multiple times.

BLS Signature Aggregation allows for multiple signatures to be validated in one, single batch.

The result of such validation is binary, meaning that either the validation succeeds of all signatures in the batch are valid or it’s rejected if at least one signature is invalid (even if the others are still valid).

## How it works

As a prerequisite, it’s useful to have a solid understanding of Elliptic Curve Pairings and BLS Signatures before continuing.

In this example we’ll be working with an Elliptic Curve $E$ that is of order $q$ and has a generator $G$.

We’ll also use a hash function $H$ as well as an Elliptic Curve Pairing $e$

$e: E_1 \times E_2 \rightarrow \mathbb{F}$where $e$ is the pairing that maps two Elliptic Curve points $E_1$ and $E_2$ to an element in a finite field $\mathbb{F}$.

Recall that an Elliptic Curve Pairing has the following bilinear mappings:

$\begin{aligned} e(P + Q, R) &= e(P, R)e(Q, R) \\ e(aP, bQ) &= e(P, Q)^{ab} \end{aligned}$where $P$, $Q$ and $R$ are Elliptic Curve points and $a \in \mathbb{Z}$, $b \in \mathbb{Z}$.

We assume that we want to aggregate and validate $n$ BLS Signatures. Therefore the following steps will be done $n$ times (once per signature):

- Generate a private key by sampling a random value from $\mathbb{Z}_q$:

- Derive the public key from the private key $x_i$ by multiplying it with the generator $G$:

- Generate the signature by multiplying the private key with a hash of the message $m_i$, the result of which can be interpreted as a point on the Elliptic Curve:

Once we did the above steps $n$ times to generate all the signatures for each individual message we can aggregate them:

$\sigma = \sigma_1, ..., \sigma_n$To verify this aggregated signature we can check the following:

$e[H(m_1), X_1] \times ... \times e[H(m_n), X_n] \overset{?}{=} e(\sigma, G)$Note that compared to the regular BLS Signature verification algorithm, we’re multiplying the Elliptic Curve Pairings of the individual signatures, yet still check the result of that operation against the pairing of the aggregated signature and the generator (which is the same pairing that’s also checked against in regular BLS Signature verifications).

## Why it works

Using the aforementioned bilinear mappings for Elliptic Curve Pairings we can expand the right hand side of the signature verification check to see that the equality is indeed present:

$\begin{aligned} e[H(m_1), X_1] \times ... \times e[H(m_n), X_n] &\overset{?}{=} e(\sigma, G) \\ &= e(\sigma_1 + ... + \sigma_n, G) \\ &= e[x_1H(m_1) + ... + x_nH(m_n), G] \\ &= e[x_1H(m_1), G] \times ... \times e[x_nH(m_n), G] \\ &= e[H(m_1), G]^{x_1} \times ... \times e[H(m_n), G]^{x_n} \\ &= e[H(m_1), x_1G] \times ... \times e[H(m_n), x_nG] \\ &= e[H(m_1), X_1] \times ... \times e[H(m_n), X_n] \end{aligned}$## Resources

- Wikipedia - BLS Digital Signature
- Remco Bloemen - BLS Signatures
- Paul Miller - BLS Signature for Busy People
- Stepan - BLS signatures: better than Schnorr
- Ben Edgington - BLS12-381 For The Rest Of Us
- David Wong - What is the BLS signature scheme?
- Nguyen Thoi Minh Quan - Intuitive Advanced Cryptography