A BLS digital signature, also known as Boneh–Lynn–Shacham[1] (BLS), is a
cryptographicsignature scheme which allows a user to verify that a signer is authentic.
The scheme uses a
bilinear pairing for verification, and signatures are elements of an
elliptic curve group. Working in an elliptic curve group provides some defense against
index calculus attacks (with the caveat that such attacks are still possible in the target group of the pairing), allowing shorter signatures than
FDH signatures for a similar
level of security.
A
signature scheme consists of three functions: generate, sign, and verify.[1]
Key generation
The key generation algorithm selects a random integer such as . The private key is . The holder of the private key publishes the public key, .
Signing
Given the private key , and some message , we compute the signature by hashing the bitstring , as . We output the signature .
Verification
Given a signature and a public key , we verify that .
Properties
Unique and deterministic: for a given key and message, there is only one valid signature (like RSA PKCS1 v1.5, EdDSA and unlike RSA PSS, DSA, ECDSA and Schnorr).[3]
Signature Aggregation: Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature.[4]
BLS12-381 is part of a family of elliptic curves named after Barreto, Lynn, and Scott[7] (a different BLS trio, except for the L). Designed by Sean Bowe in early 2017 as the foundation for an upgrade to the
Zcash protocol. It is both pairing-friendly (making it efficient for digital signatures) and effective for constructing
zkSnarks.[8]
Implementations
To include BLS12-381 in
IETF internet encryption standards.[9]
By 2020, BLS12-381 signatures were used extensively in
version 2 (Eth2) of the
Ethereumblockchain, as specified in the
IETF draft BLS signature specification—for cryptographically assuring that a specific Eth2 validator has actually verified a particular transaction.[2] The use of BLS signatures in Ethereum is considered a solution to the verification bottleneck only for the medium term, as BLS signatures are not
quantum secure. Over the longer term—say, 2025–2030—
STARK aggregation is expected to be a drop-in replacement for BLS aggregation.[9][12]
Dfinity(developers of the "Internet Computer" cryptocurrency) BLS12-381 implementation.[9]