crypto-snippets/bls

Boneh–Lynn–Shacham Digital Signature Algorithm


\(\gdef\system{\mathsf{Sig}}\) \(\gdef\systemprefix{}\) \(\gdef\keygen{\mathsf{\systemprefix{}KGen}}\) \(\gdef\sign{\mathsf{\systemprefix{}Sign}}\) \(\gdef\verify{\mathsf{\systemprefix{}Verify}}\) \(\gdef\msgspace{\mathcal{M}}\)

\(\gdef\gone{\mathbb{G}_1}\) \(\gdef\genone{g_1}\) \(\gdef\gentwo{g_2}\) \(\gdef\gtwo{\mathbb{G}_2}\) \(\gdef\gthree{\mathbb{G}_T}\) \(\gdef\order{q}\) \(\gdef\hash{\mathsf{H}}\)

Given:

  • Three cyclic group \(\gone,\gtwo,\gthree\) with bilinear pairing \(e: \gone \times \gtwo \to \gthree\), all of prime order \(\order\)
  • Generators \(\genone \in \gone, \gentwo \in \gtwo\)
  • A function \(\hash: \msgspace \to \gone\) for mapping elements of the message space \(\msgspace\) to elements in \(\gone\).

BLS instantiates a signature scheme as follows:

\(\keygen(1^n) \to (pk, sk)\)


  • Random \(\alpha \stackrel{\$}{\gets} \mathbb{Z_q}\)
  • \(h := \genone^\alpha\)
  • Output \((pk := h, sk := \alpha)\)

\(\sign(sk, m) \to \sigma\)


  • \(m' \gets \hash(m)\)
  • \(\sigma \gets m'^\alpha\)
  • Output \(\sigma\)

\(\verify(pk, m, \sigma) \to \{0,1\}\)


  • \(m' \gets \hash(m)\)
  • Output \(e(\genone, \sigma) \stackrel{?}{=} e(pk, m')\)

Last modified June 1, 2025, 5:02 p.m.