Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [bls-signature]

The Boneh-Lynn-Shacham Signature scheme is a scheme where multiple signatures can be combined into one and verified given a public key, the data to be verified and a single combined signature.

The BLS signature scheme is being standardized in Verifiable Random Functions (VRFs) - draft-irtf-cfrg-vrf-05. A short explanation can be found here (cryptologie.net).

59 questions
9
votes
2 answers

Standard parameters for Boneh–Lynn–Shacham signature?

The Boneh–Lynn–Shacham signature is (as far as I know) unrivaled in compactness, promising $b$-bit security for $2b$-bit signature (perhaps: asymptotically). Are there standard parameters for BLS signature, (being?) defined by standard bodies,…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
6
votes
1 answer

Proof of membership in an aggregated BLS signature

Is it possible to prove that a given signature is a part of an aggregated BLS signature? Specifically, given: $m_1...m_n$ are $n$ distinct messages $p_1...p_n$ are private keys with $P_1...P_n$ being the corresponding public keys $S_1...S_n$ are…
irakliy
  • 1,009
  • 8
  • 16
6
votes
1 answer

Elliptic curves with pairings at 128-bit security in libpbc?

I am using Ben Lynn's libpbc to implement a BLS threshold signature scheme and I am aiming for 128-bit security (i.e., a forgery attack should take around $2^{128}$ tries). I was wondering what curves in libpbc would provide this level of…
Alin Tomescu
  • 1,054
  • 10
  • 31
6
votes
1 answer

How does Boneh–Lynn–Shacham work?

As described by Wikipedia, BLS uses Diffie-Hellman in some way. I understand how Diffie-Hellman works in both its normal and elliptic curve forms. But what is the "pairing function"?
Melab
  • 4,178
  • 4
  • 24
  • 49
5
votes
1 answer

Compressing BLS signature with a hash function

It seems to me, that it should be possible to hash BLS signature to achieve significant space saving. Here is how it could work: Assuming we have a pairing-friendly elliptic curve with two generator points $G_1$ and $G_2$. Let's say my public key is…
irakliy
  • 1,009
  • 8
  • 16
5
votes
2 answers

Performance comparison between ECDSA and BLS signature schemes

I want to choose an efficient signature scheme for implementation on a lightweight MCU. I was wondering how does the performance of ECDSA and BLS signature schemes compare in terms of signing time and signature size, etc.?
Ihtesham Haider
  • 71
  • 4
5
votes
0 answers

Is secure non-interactive signature aggregation proven to be impossible with just ROM+DLP?

It is known that BLS signatures support non-interactive aggregation: given $n$ $(\operatorname{message}, \operatorname{public\_key}, \operatorname{signature})$ tuples, an $\mathcal{O}(1)$-sized aggregate signature can be produced, without…
Pieter Wuille
  • 425
  • 2
  • 12
5
votes
1 answer

What are the structural differences between BLS12-381 and BLS12-377?

What's the difference between BLS12-381 and BLS12-377? Previously I thought their basic cryptographic algorithms were same, so it's easy to construct BLS12-381 from BLS12-377, or construct BLS12-377 from BLS12-381, by just changing some curve…
Xing Chang
  • 53
  • 5
4
votes
1 answer

How is a BLS Private Key generated? What are the different names for the parts?

relic, the library used by the majority of BLS implementations, is rather difficult to build cross-platform. Because of this, I've been looking for other pure BLS implementations that don't rely on C - and I've found one in Go and another in…
root-aj
  • 193
  • 1
  • 6
4
votes
0 answers

Is BLS signature still conjectured to achieve $b$-bit security for $2b$-bit appendix?

The BLS signature scheme [1] promised $b$-bit security for signature with a $2b$-bit appendix, under classical hypothesis leaving aside the possibility of Quantum Computers usable for cryptanalysis. Hovav Shacham's 2005 thesis proposed to use…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
3
votes
1 answer

Mapping the hash of message to a point of elliptic curve for signature

Let the subgroup $G$ of elliptic curve constructed with point $P$ with prime order $q$ by $G=\langle P\rangle $. The $h(x)$ is a hash function. We want to map the hash of arbitrary message $m$ to a point in $G$ for use in the signature algorithm…
Amirhnr
  • 87
  • 4
3
votes
1 answer

Bilinear pairing for compact BLS signature

What family of bilinear pairing is recommendable for BLS signature when the overriding criteria is compactness of the signature, as desirable for something to be keyed-in from printout, or embedded in a small QR-code? Is there something giving…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
3
votes
1 answer

Elliptic Curve digital signature algorithm without "hashing to point"?

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary. However, using the algorithm below can sign and verify without Hasing to Point? $a$ is secret key $H$ is scalar hash…
user212942
  • 301
  • 1
  • 8
3
votes
1 answer

BLS signature scheme with G_1 = G_2

The Wikipedia page for BLS digital signature describes a scheme with only two groups, $G$ and $G_T$, and a bilinear pairing $e: G \times G \rightarrow G_T$. To the best of my understanding, in such a scheme both public keys and signatures would…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
2
votes
0 answers

BLS signatures in the G-valued Random Oracle Model

This paper on semi-generic algorithms considers "non-standard properties of the employed hash function". For BLS signatures whose main group is $G$, I'm curious what can be shown when the hash function is a $G$-valued random oracle. Is there a…
user991
1
2 3 4