The acronym BLS stands for Boneh–Lynn–Shacham, originally proposed as a signature scheme by Stanford University professor Dan Boneh and others in 2001. The most recent update to this signature scheme was in 2018, when Professor Boneh and Manu Drijvers from IBM Research refined it.
Unlike previous signature schemes, BLS incorporates elliptic curve pairing technology based on bilinear mappings to achieve signature verification and aggregation.
Threshold Signature Schemes
Firstly, let’s delve into the concept of a threshold signature scheme, which acts as a cryptographic primitive enabling a group of participants to collectively own a private key. In this scheme, a minimum number of participants need to collaborate to generate a signature that a single public key can validate. Threshold signatures prove especially valuable in scenarios requiring the establishment of distributed trust roots among a group of equally trusted parties. Certain implementations of threshold signature schemes mandate performing signing operations under heavy loads and at scale. For example, a group of signers might employ threshold signatures to authenticate financial transactions in cryptocurrencies or to endorse network consensuses created by a coalition of trusted institutions. In both instances, as the number of signers or signing operations grows, the burden on each signer escalates, while the communication rounds necessary between participants to create a joint signature also emerge as a performance bottleneck. Thus, optimizing the network costs associated with signature operations holds significant benefits for the practical implementation of threshold signatures.
BLS Signature Process
1. Preparation Phase: Select a random number as the private key Sk, and compute the public key P = pk x G along with the message.
2. Signing and Verification: Map the message hash H(m) to a point on the curve, denoted as Q, and multiply the resulting point by the private key to obtain the signature: S = pk x Q.
3. Signature Verification: Similarly, calculate the mapped point q as in step 1, and verify e(P, Q) = e(G, S).
Why can verification be done this way? What is the function e? This is where the aforementioned elliptic curve pairing function comes into play. Here is a brief introduction:
There is a special function, denoted as e, which can take as input two points Pand Q on a curve (or two distinct curves) and output a number, as in the form: e(P, Q) → n.
This function is special because it possesses certain properties. For instance, given a number x and two points P and Q, the result of the function remains the same regardless of which point is multiplied by this number, i.e.:e(xP, Q) = e(P, xQ).
Furthermore: e(aP, bQ) = e(P, abQ) = e(abP, Q) = e(P, Q)^{ab}.
There are other properties as well, but the aforementioned properties are primarily utilized for signature verification.
To verify the signature: e(P, q) = e(pkG, q) = e(G, pk x q) = e(G, S).
Now, with a single signature in place, let’s delve into aggregate signatures.
BLS Aggregate Signature
In blockchain applications, aggregate signatures are typically used to compress the signature size of transactions within a block. Consider a block containing 10 transactions, where each transaction has its own signature Si , public key Pi , and message for signing mi. An aggregate signature combines all transaction signatures in the block into one signature while simultaneously verifying the correctness of all individual transaction signatures. Let the final signature result be S, where S=S1+S2+…+S10.
To verify all transaction signatures in a block, the following equation must hold:
e(G,S) = e(P1,q1)e(P2,q2)…e(P10,q10)
e(G,S) = e(G,S1 + S2+…S10)
=e(G,S)e(G,S2)…e(G,S10)
=e(G,pk1q1)…e(G,pk10q10)
=e(P1,q1)e(P2,q2)…e(P10,q10)
Here, the properties of the pairing function are still utilized. All public keys are required, and ten pairing functions must be computed. The larger the number of transactions, the greater the computational load. However, the advantage is the significant reduction in signature bytes within the block.
BLS Key Aggregation
Building on the concept of multisignature, where different keys are used to sign the same transaction, let’s explore the process of BLS key aggregation.
A simple aggregation method involves adding all signatures and public keys together. Thus, the signature aggregation result is: S=S1+S2+S3.
The key aggregation result is: P=P1+P2+P3.
Let q be the point on the curve where the aggregated signature is mapped. To verify this aggregated signature, use the equation: e(G, S) = e(P, q).
e(G,S) = e(G,S1+S2+S3)
=e(G,(pk1+pk2+pk3)xq)
=e((pk1+pk2+pk3)xG,1)
=e(P1+P2+P3,q)
=e(P,q)
This method significantly reduces the number of pairings required for verification, as only one pairing per signer is needed. Aggregating keys and signatures simplifies the verification process and reduces computational overhead.
Aggregate Key Attack Defense
The approach mentioned above is theoretically feasible, but it may be vulnerable to key attacks, such as signature forgery in practice. How can this be prevented?
One method requires each signature participant to prove that they possess the private key corresponding to the public key (signing with the private key or randomly signing a specified message). Another method is to introduce non-linear coefficients to make attacks difficult to implement. Of course, the simple method mentioned above of adding multiple public keys and signatures cannot be used. Instead, they should be multiplied by certain coefficients before being added together.
BLS Advantages
Compared to other digital signature algorithms, the BLS signature algorithm has the following advantages:
Efficiency
The BLS signature algorithm is highly efficient in key generation, signature generation, and verification. It does not require point operations on elliptic curves like the ECDSA algorithm, nor does it involve complex public key merging operations like the Schnorr signature algorithm.
Security
Based on the properties of bilinear mappings, the BLS signature algorithm offers high security. It can resist common attacks such as replay attacks and forgery attacks.
Verifiability
The BLS signature algorithm is highly verifiable. Validators can easily verify the validity of a signature without complex computations or additional communication.
Determinism
The BLS signature algorithm is deterministic, meaning that as long as the private key remains confidential, anyone can verify the validity of a signature using the public key. This feature makes the BLS signature algorithm versatile in various scenarios.
Short Signature Length
BLS signatures stand out for their shorter lengths compared to other digital signature algorithms, making them more efficient in scenarios involving large data or requiring streamlined transmission.
Furthermore, multi-party key management services built on BLS signature technology provide relatively strong privacy measures. In practice, BLS signatures can offer the same functionalities as current Bitcoin (BTC) multi-signatures but are displayed on-chain as a single aggregated signature. In specific setups, BLS signatures divide the key into N parts distributed among N individuals, necessitating only M (where M is less than or equal to N) individuals to sign for the decryption and transfer of digital assets under that key.
Through BLS signatures, the identities and quantities of participants in multi-signature transactions remain undisclosed. However, when users need to access the funds and seek the custodian’s signature, they must forward the transaction hash to the custodian for signing. Upon successful broadcast of the transaction, the custodian acquires knowledge of the user’s public key, presenting an unresolved fundamental issue.
CipherBC avoids this issue by using MPC-TSS signature technology. While there has yet to be a comprehensive solution using BLS signatures in asset custody, the characteristics of this technology offer limitless possibilities.