forked from cfrg/draft-irtf-cfrg-bls-signature
-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-irtf-cfrg-bls-signature-04.txt
1680 lines (1031 loc) · 54 KB
/
draft-irtf-cfrg-bls-signature-04.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
CFRG D. Boneh
Internet-Draft Stanford University
Intended status: Informational S. Gorbunov
Expires: 14 March 2021 University of Waterloo
R. Wahby
Stanford University
H. Wee
NTT Research and ENS, Paris
Z. Zhang
Algorand
10 September 2020
BLS Signatures
draft-irtf-cfrg-bls-signature-04
Abstract
BLS is a digital signature scheme with aggregation properties. Given
set of signatures (signature_1, ..., signature_n) anyone can produce
an aggregated signature. Aggregation can also be done on secret keys
and public keys. Furthermore, the BLS signature scheme is
deterministic, non-malleable, and efficient. Its simplicity and
cryptographic properties allows it to be useful in a variety of use-
cases, specifically when minimal storage space or bandwidth are
required.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 March 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
Boneh, et al. Expires 14 March 2021 [Page 1]
Internet-Draft BLS-signature September 2020
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Comparison with ECDSA . . . . . . . . . . . . . . . . . . 4
1.2. Organization of this document . . . . . . . . . . . . . . 4
1.3. Terminology and definitions . . . . . . . . . . . . . . . 5
1.4. API . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5. Requirements . . . . . . . . . . . . . . . . . . . . . . 7
2. Core operations . . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Variants . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Parameters . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. KeyGen . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4. SkToPk . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.5. KeyValidate . . . . . . . . . . . . . . . . . . . . . . . 11
2.6. CoreSign . . . . . . . . . . . . . . . . . . . . . . . . 11
2.7. CoreVerify . . . . . . . . . . . . . . . . . . . . . . . 12
2.8. Aggregate . . . . . . . . . . . . . . . . . . . . . . . . 12
2.9. CoreAggregateVerify . . . . . . . . . . . . . . . . . . . 13
3. BLS Signatures . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. Basic scheme . . . . . . . . . . . . . . . . . . . . . . 14
3.1.1. AggregateVerify . . . . . . . . . . . . . . . . . . . 15
3.2. Message augmentation . . . . . . . . . . . . . . . . . . 15
3.2.1. Sign . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.2. Verify . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.3. AggregateVerify . . . . . . . . . . . . . . . . . . . 16
3.3. Proof of possession . . . . . . . . . . . . . . . . . . . 17
3.3.1. Parameters . . . . . . . . . . . . . . . . . . . . . 18
3.3.2. PopProve . . . . . . . . . . . . . . . . . . . . . . 18
3.3.3. PopVerify . . . . . . . . . . . . . . . . . . . . . . 19
3.3.4. FastAggregateVerify . . . . . . . . . . . . . . . . . 19
4. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1. Ciphersuite format . . . . . . . . . . . . . . . . . . . 20
4.2. Ciphersuites for BLS12-381 . . . . . . . . . . . . . . . 22
4.2.1. Basic . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.2. Message augmentation . . . . . . . . . . . . . . . . 22
4.2.3. Proof of possession . . . . . . . . . . . . . . . . . 23
5. Security Considerations . . . . . . . . . . . . . . . . . . . 24
5.1. Validating public keys . . . . . . . . . . . . . . . . . 24
5.2. Skipping membership check . . . . . . . . . . . . . . . . 24
Boneh, et al. Expires 14 March 2021 [Page 2]
Internet-Draft BLS-signature September 2020
5.3. Side channel attacks . . . . . . . . . . . . . . . . . . 25
5.4. Randomness considerations . . . . . . . . . . . . . . . . 25
5.5. Implementing hash_to_point and hash_pubkey_to_point . . . 25
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 25
7. Related Standards . . . . . . . . . . . . . . . . . . . . . . 26
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
9. Normative References . . . . . . . . . . . . . . . . . . . . 26
10. Informative References . . . . . . . . . . . . . . . . . . . 27
Appendix A. BLS12-381 . . . . . . . . . . . . . . . . . . . . . 28
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 29
Appendix C. Security analyses . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction
A signature scheme is a fundamental cryptographic primitive that is
used to protect authenticity and integrity of communication. Only
the holder of a secret key can sign messages, but anyone can verify
the signature using the associated public key.
Signature schemes are used in point-to-point secure communication
protocols, PKI, remote connections, etc. Designing efficient and
secure digital signature is very important for these applications.
This document describes the BLS signature scheme. The scheme enjoys
a variety of important efficiency properties:
1. The public key and the signatures are encoded as single group
elements.
2. Verification requires 2 pairing operations.
3. A collection of signatures (signature_1, ..., signature_n) can be
aggregated into a single signature. Moreover, the aggregate
signature can be verified using only n+1 pairings (as opposed to
2n pairings, when verifying n signatures separately).
Given the above properties, the scheme enables many interesting
applications. The immediate applications include
* Authentication and integrity for Public Key Infrastructure (PKI)
and blockchains.
- The usage is similar to classical digital signatures, such as
ECDSA.
* Aggregating signature chains for PKI and Secure Border Gateway
Protocol (SBGP).
Boneh, et al. Expires 14 March 2021 [Page 3]
Internet-Draft BLS-signature September 2020
- Concretely, in a PKI signature chain of depth n, we have n
signatures by n certificate authorities on n distinct
certificates. Similarly, in SBGP, each router receives a list
of n signatures attesting to a path of length n in the network.
In both settings, using the BLS signature scheme would allow us
to aggregate the n signatures into a single signature.
* consensus protocols for blockchains.
- There, BLS signatures are used for authenticating transactions
as well as votes during the consensus protocol, and the use of
aggregation significantly reduces the bandwidth and storage
requirements.
1.1. Comparison with ECDSA
The following comparison assumes BLS signatures with curve BLS12-381,
targeting 128 bits security.
For 128 bits security, ECDSA takes 37 and 79 micro-seconds to sign
and verify a signature on a typical laptop. In comparison, for the
same level of security, BLS takes 370 and 2700 micro-seconds to sign
and verify a signature.
In terms of sizes, ECDSA uses 32 bytes for public keys and 64 bytes
for signatures; while BLS uses 96 bytes for public keys, and 48 bytes
for signatures. Alternatively, BLS can also be instantiated with 48
bytes of public keys and 96 bytes of signatures. BLS also allows for
signature aggregation. In other words, a single signature is
sufficient to authenticate multiple messages and public keys.
1.2. Organization of this document
This document is organized as follows:
* The remainder of this section defines terminology and the high-
level API.
* Section 2 defines primitive operations used in the BLS signature
scheme. These operations MUST NOT be used alone.
* Section 3 defines three BLS Signature schemes giving slightly
different security and performance properties.
* Section 4 defines the format for a ciphersuites and gives
recommended ciphersuites.
* The appendices give test vectors, etc.
Boneh, et al. Expires 14 March 2021 [Page 4]
Internet-Draft BLS-signature September 2020
1.3. Terminology and definitions
The following terminology is used through this document:
* SK: The secret key for the signature scheme.
* PK: The public key for the signature scheme.
* message: The input to be signed by the signature scheme.
* signature: The digital signature output.
* aggregation: Given a list of signatures for a list of messages and
public keys, an aggregation algorithm generates one signature that
authenticates the same list of messages and public keys.
* rogue key attack: An attack in which a specially crafted public
key (the "rogue" key) is used to forge an aggregated signature.
Section 3 specifies methods for securing against rogue key
attacks.
The following notation and primitives are used:
* a || b denotes the concatenation of octet strings a and b.
* A pairing-friendly elliptic curve defines the following primitives
(see [I-D.irtf-cfrg-pairing-friendly-curves] for detailed
discussion):
- E1, E2: elliptic curve groups defined over finite fields. This
document assumes that E1 has a more compact representation than
E2, i.e., because E1 is defined over a smaller field than E2.
- G1, G2: subgroups of E1 and E2 (respectively) having prime
order r.
- P1, P2: distinguished points that generate G1 and G2,
respectively.
- GT: a subgroup, of prime order r, of the multiplicative group
of a field extension.
- e : G1 x G2 -> GT: a non-degenerate bilinear map.
* For the above pairing-friendly curve, this document writes
operations in E1 and E2 in additive notation, i.e., P + Q denotes
point addition and x * P denotes scalar multiplication.
Boneh, et al. Expires 14 March 2021 [Page 5]
Internet-Draft BLS-signature September 2020
Operations in GT are written in multiplicative notation, i.e., a *
b is field multiplication.
* For each of E1 and E2 defined by the above pairing-friendly curve,
we assume that the pairing-friendly elliptic curve definition
provides several primitives, described below.
Note that these primitives are named generically. When referring
to one of these primitives for a specific group, this document
appends the name of the group, e.g., point_to_octets_E1,
subgroup_check_E2, etc.
- point_to_octets(P) -> ostr: returns the canonical
representation of the point P as an octet string. This
operation is also known as serialization.
- octets_to_point(ostr) -> P: returns the point P corresponding
to the canonical representation ostr, or INVALID if ostr is not
a valid output of point_to_octets. This operation is also
known as deserialization.
- subgroup_check(P) -> VALID or INVALID: returns VALID when the
point P is an element of the subgroup of order r, and INVALID
otherwise. This function can always be implemented by checking
that r * P is equal to the identity element. In some cases,
faster checks may also exist, e.g., [Bowe19].
* I2OSP and OS2IP are the functions defined in [RFC8017], Section 4.
* hash_to_point(ostr) -> P: a cryptographic hash function that takes
as input an arbitrary octet string and returns a point on an
elliptic curve. Functions of this kind are defined in
[I-D.irtf-cfrg-hash-to-curve]. Each of the ciphersuites in
Section 4 specifies the hash_to_point algorithm to be used.
1.4. API
The BLS signature scheme defines the following API:
* KeyGen(IKM) -> SK: a key generation algorithm that takes as input
an octet string comprising secret keying material, and outputs a
secret key SK.
* SkToPk(SK) -> PK: an algorithm that takes as input a secret key
and outputs the corresponding public key.
* Sign(SK, message) -> signature: a signing algorithm that generates
a deterministic signature given a secret key SK and a message.
Boneh, et al. Expires 14 March 2021 [Page 6]
Internet-Draft BLS-signature September 2020
* Verify(PK, message, signature) -> VALID or INVALID: a verification
algorithm that outputs VALID if signature is a valid signature of
message under public key PK, and INVALID otherwise.
* Aggregate((signature_1, ..., signature_n)) -> signature: an
aggregation algorithm that aggregates a collection of signatures
into a single signature.
* AggregateVerify((PK_1, ..., PK_n), (message_1, ..., message_n),
signature) -> VALID or INVALID: an aggregate verification
algorithm that outputs VALID if signature is a valid aggregated
signature for a collection of public keys and messages, and
outputs INVALID otherwise.
1.5. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Core operations
This section defines core operations used by the schemes defined in
Section 3. These operations MUST NOT be used except as described in
that section.
2.1. Variants
Each core operation has two variants that trade off signature and
public key size:
1. Minimal-signature-size: signatures are points in G1, public keys
are points in G2. (Recall from Section 1.3 that E1 has a more
compact representation than E2.)
2. Minimal-pubkey-size: public keys are points in G1, signatures are
points in G2.
Implementations using signature aggregation SHOULD use this
approach, since the size of (PK_1, ..., PK_n, signature) is
dominated by the public keys even for small n.
2.2. Parameters
The core operations in this section depend on several parameters:
* A signature variant, either minimal-signature-size or minimal-
pubkey-size. These are defined in Section 2.1.
Boneh, et al. Expires 14 March 2021 [Page 7]
Internet-Draft BLS-signature September 2020
* A pairing-friendly elliptic curve, plus associated functionality
given in Section 1.3.
* H, a hash function that MUST be a secure cryptographic hash
function, e.g., SHA-256 [FIPS180-4]. For security, H MUST output
at least ceil(log2(r)) bits, where r is the order of the subgroups
G1 and G2 defined by the pairing-friendly elliptic curve.
* hash_to_point, a function whose interface is described in
Section 1.3. When the signature variant is minimal-signature-
size, this function MUST output a point in G1. When the signature
variant is minimal-pubkey size, this function MUST output a point
in G2. For security, this function MUST be either a random oracle
encoding or a nonuniform encoding, as defined in
[I-D.irtf-cfrg-hash-to-curve].
In addition, the following primitives are determined by the above
parameters:
* P, an elliptic curve point. When the signature variant is
minimal-signature-size, P is the distinguished point P2 that
generates the group G2 (see Section 1.3). When the signature
variant is minimal-pubkey-size, P is the distinguished point P1
that generates the group G1.
* r, the order of the subgroups G1 and G2 defined by the pairing-
friendly curve.
* pairing, a function that invokes the function e of Section 1.3,
with argument order depending on signature variant:
- For minimal-signature-size:
pairing(U, V) := e(U, V)
- For minimal-pubkey-size:
pairing(U, V) := e(V, U)
* point_to_pubkey and point_to_signature, functions that invoke the
appropriate serialization routine (Section 1.3) depending on
signature variant:
- For minimal-signature-size:
point_to_pubkey(P) := point_to_octets_E2(P)
point_to_signature(P) := point_to_octets_E1(P)
Boneh, et al. Expires 14 March 2021 [Page 8]
Internet-Draft BLS-signature September 2020
- For minimal-pubkey-size:
point_to_pubkey(P) := point_to_octets_E1(P)
point_to_signature(P) := point_to_octets_E2(P)
* pubkey_to_point and signature_to_point, functions that invoke the
appropriate deserialization routine (Section 1.3) depending on
signature variant:
- For minimal-signature-size:
pubkey_to_point(ostr) := octets_to_point_E2(ostr)
signature_to_point(ostr) := octets_to_point_E1(ostr)
- For minimal-pubkey-size:
pubkey_to_point(ostr) := octets_to_point_E1(ostr)
signature_to_point(ostr) := octets_to_point_E2(ostr)
* pubkey_subgroup_check and signature_subgroup_check, functions that
invoke the appropriate subgroup check routine (Section 1.3)
depending on signature variant:
- For minimal-signature-size:
pubkey_subgroup_check(P) := subgroup_check_E2(P)
signature_subgroup_check(P) := subgroup_check_E1(P)
- For minimal-pubkey-size:
pubkey_subgroup_check(P) := subgroup_check_E1(P)
signature_subgroup_check(P) := subgroup_check_E2(P)
2.3. KeyGen
The KeyGen procedure described in this section generates a secret key
SK deterministically from a secret octet string IKM. SK is
guaranteed to be nonzero, as required by KeyValidate (Section 2.5).
KeyGen uses HKDF [RFC5869] instantiated with the hash function H.
For security, IKM MUST be infeasible to guess, e.g., generated by a
Boneh, et al. Expires 14 March 2021 [Page 9]
Internet-Draft BLS-signature September 2020
trusted source of randomness. IKM MUST be at least 32 bytes long,
but it MAY be longer.
KeyGen takes an optional parameter, key_info. This parameter MAY be
used to derive multiple independent keys from the same IKM. By
default, key_info is the empty string.
SK = KeyGen(IKM)
Inputs:
- IKM, a secret octet string. See requirements above.
Outputs:
- SK, a uniformly random integer such that 1 <= SK < r.
Parameters:
- key_info, an optional octet string.
If key_info is not supplied, it defaults to the empty string.
Definitions:
- HKDF-Extract is as defined in RFC5869, instantiated with hash H.
- HKDF-Expand is as defined in RFC5869, instantiated with hash H.
- I2OSP and OS2IP are as defined in RFC8017, Section 4.
- L is the integer given by ceil((3 * ceil(log2(r))) / 16).
- "BLS-SIG-KEYGEN-SALT-" is an ASCII string comprising 20 octets.
Procedure:
1. salt = "BLS-SIG-KEYGEN-SALT-"
2. SK = 0
3. while SK == 0:
4. salt = H(salt)
5. PRK = HKDF-Extract(salt, IKM || I2OSP(0, 1))
6. OKM = HKDF-Expand(PRK, key_info || I2OSP(L, 2), L)
7. SK = OS2IP(OKM) mod r
8. return SK
KeyGen is the RECOMMENDED way of generating secret keys, but its use
is not required for compatibility, and implementations MAY use a
different KeyGen procedure. For security, such an alternative KeyGen
procedure MUST output SK that is statistically close to uniformly
random in the range 1 <= SK < r.
2.4. SkToPk
The SkToPk algorithm takes a secret key SK and outputs the
corresponding public key PK. Section 2.3 discusses requirements for
SK.
Boneh, et al. Expires 14 March 2021 [Page 10]
Internet-Draft BLS-signature September 2020
PK = SkToPk(SK)
Inputs:
- SK, a secret integer such that 1 <= SK < r.
Outputs:
- PK, a public key encoded as an octet string.
Procedure:
1. xP = SK * P
2. PK = point_to_pubkey(xP)
3. return PK
2.5. KeyValidate
The KeyValidate algorithm ensures that a public key is valid. In
particular, it ensures that a public key represents a valid, non-
identity point that is in the correct subgroup. See Section 5.1 for
further discussion.
As an optimization, implementations MAY cache the result of
KeyValidate in order to avoid unnecessarily repeating validation for
known keys.
result = KeyValidate(PK)
Inputs:
- PK, a public key in the format output by SkToPk.
Outputs:
- result, either VALID or INVALID
Procedure:
1. xP = pubkey_to_point(PK)
2. If xP is INVALID, return INVALID
3. If xP is the identity element, return INVALID
4. If pubkey_subgroup_check(xP) is INVALID, return INVALID
5. return VALID
2.6. CoreSign
The CoreSign algorithm computes a signature from SK, a secret key,
and message, an octet string.
Boneh, et al. Expires 14 March 2021 [Page 11]
Internet-Draft BLS-signature September 2020
signature = CoreSign(SK, message)
Inputs:
- SK, a secret key in the format output by KeyGen.
- message, an octet string.
Outputs:
- signature, an octet string.
Procedure:
1. Q = hash_to_point(message)
2. R = SK * Q
3. signature = point_to_signature(R)
4. return signature
2.7. CoreVerify
The CoreVerify algorithm checks that a signature is valid for the
octet string message under the public key PK.
result = CoreVerify(PK, message, signature)
Inputs:
- PK, a public key in the format output by SkToPk.
- message, an octet string.
- signature, an octet string in the format output by CoreSign.
Outputs:
- result, either VALID or INVALID.
Procedure:
1. R = signature_to_point(signature)
2. If R is INVALID, return INVALID
3. If signature_subgroup_check(R) is INVALID, return INVALID
4. If KeyValidate(PK) is INVALID, return INVALID
5. xP = pubkey_to_point(PK)
6. Q = hash_to_point(message)
7. C1 = pairing(Q, xP)
8. C2 = pairing(R, P)
9. If C1 == C2, return VALID, else return INVALID
2.8. Aggregate
The Aggregate algorithm aggregates multiple signatures into one.
Boneh, et al. Expires 14 March 2021 [Page 12]
Internet-Draft BLS-signature September 2020
signature = Aggregate((signature_1, ..., signature_n))
Inputs:
- signature_1, ..., signature_n, octet strings output by
either CoreSign or Aggregate.
Outputs:
- signature, an octet string encoding a aggregated signature
that combines all inputs; or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. aggregate = signature_to_point(signature_1)
2. If aggregate is INVALID, return INVALID
3. for i in 2, ..., n:
4. next = signature_to_point(signature_i)
5. If next is INVALID, return INVALID
6. aggregate = aggregate + next
7. signature = point_to_signature(aggregate)
8. return signature
2.9. CoreAggregateVerify
The CoreAggregateVerify algorithm checks an aggregated signature over
several (PK, message) pairs.
Boneh, et al. Expires 14 March 2021 [Page 13]
Internet-Draft BLS-signature September 2020
result = CoreAggregateVerify((PK_1, ..., PK_n),
(message_1, ... message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. R = signature_to_point(signature)
2. If R is INVALID, return INVALID
3. If signature_subgroup_check(R) is INVALID, return INVALID
4. C1 = 1 (the identity element in GT)
5. for i in 1, ..., n:
6. If KeyValidate(PK_i) is INVALID, return INVALID
7. xP = pubkey_to_point(PK_i)
8. Q = hash_to_point(message_i)
9. C1 = C1 * pairing(Q, xP)
10. C2 = pairing(R, P)
11. If C1 == C2, return VALID, else return INVALID
3. BLS Signatures
This section defines three signature schemes: basic, message
augmentation, and proof of possession. These schemes differ in the
ways that they defend against rogue key attacks (Section 1.3).
All of the schemes in this section are built on a set of core
operations defined in Section 2. Thus, defining a scheme requires
fixing a set of parameters as defined in Section 2.2.
All three schemes expose the KeyGen, SkToPk, and Aggregate operations
that are defined in Section 2. The sections below define the other
API functions (Section 1.4) for each scheme.
3.1. Basic scheme
In a basic scheme, rogue key attacks are handled by requiring all
messages signed by an aggregate signature to be distinct. This
requirement is enforced in the definition of AggregateVerify.
Boneh, et al. Expires 14 March 2021 [Page 14]
Internet-Draft BLS-signature September 2020
The Sign and Verify functions are identical to CoreSign and
CoreVerify (Section 2), respectively. AggregateVerify is defined
below.
3.1.1. AggregateVerify
This function first ensures that all messages are distinct, and then
invokes CoreAggregateVerify.
result = AggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. If any two input messages are equal, return INVALID.
2. return CoreAggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
3.2. Message augmentation
In a message augmentation scheme, signatures are generated over the
concatenation of the public key and the message, ensuring that
messages signed by different public keys are distinct.
3.2.1. Sign
To match the API for Sign defined in Section 1.4, this function
recomputes the public key corresponding to the input SK.
Implementations MAY instead implement an interface that takes the
public key as an input.
Note that the point P and the point_to_pubkey function are defined in
Section 2.2.
Boneh, et al. Expires 14 March 2021 [Page 15]
Internet-Draft BLS-signature September 2020
signature = Sign(SK, message)
Inputs:
- SK, a secret key in the format output by KeyGen.
- message, an octet string.
Outputs:
- signature, an octet string.
Procedure:
1. PK = SkToPk(SK)
2. return CoreSign(SK, PK || message)
3.2.2. Verify
result = Verify(PK, message, signature)
Inputs:
- PK, a public key in the format output by SkToPk.
- message, an octet string.
- signature, an octet string in the format output by CoreSign.
Outputs:
- result, either VALID or INVALID.
Procedure:
1. return CoreVerify(PK, PK || message, signature)
3.2.3. AggregateVerify
Boneh, et al. Expires 14 March 2021 [Page 16]
Internet-Draft BLS-signature September 2020
result = AggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. for i in 1, ..., n:
2. mprime_i = PK_i || message_i
3. return CoreAggregateVerify((PK_1, ..., PK_n),
(mprime_1, ..., mprime_n),
signature)
3.3. Proof of possession
A proof of possession scheme uses a separate public key validation
step, called a proof of possession, to defend against rogue key
attacks. This enables an optimization to aggregate signature
verification for the case that all signatures are on the same
message.
The Sign, Verify, and AggregateVerify functions are identical to
CoreSign, CoreVerify, and CoreAggregateVerify (Section 2),
respectively. In addition, a proof of possession scheme defines
three functions beyond the standard API (Section 1.4):
* PopProve(SK) -> proof: an algorithm that generates a proof of
possession for the public key corresponding to secret key SK.
* PopVerify(PK, proof) -> VALID or INVALID: an algorithm that
outputs VALID if proof is valid for PK, and INVALID otherwise.
* FastAggregateVerify((PK_1, ..., PK_n), message, signature) ->
VALID or INVALID: a verification algorithm for the aggregate of
multiple signatures on the same message. This function is faster
than AggregateVerify.
All public keys used by Verify, AggregateVerify, and
FastAggregateVerify MUST be accompanied by a proof of possession, and
Boneh, et al. Expires 14 March 2021 [Page 17]
Internet-Draft BLS-signature September 2020
the result of evaluating PopVerify on the public key and proof MUST
be VALID.
3.3.1. Parameters
In addition to the parameters required to instantiate the core
operations (Section 2.2), a proof of possession scheme requires one
further parameter:
* hash_pubkey_to_point(PK) -> P: a cryptographic hash function that
takes as input a public key and outputs a point in the same
subgroup as the hash_to_point algorithm used to instantiate the
core operations.
For security, this function MUST be domain separated from the
hash_to_point function. In addition, this function MUST be either
a random oracle encoding or a nonuniform encoding, as defined in
[I-D.irtf-cfrg-hash-to-curve].
The RECOMMENDED way of instantiating hash_pubkey_to_point is to
use the same hash-to-curve function as hash_to_point, with a
different domain separation tag (see
[I-D.irtf-cfrg-hash-to-curve], Section 3.1). Section 4.1
discusses the RECOMMENDED way to construct the domain separation
tag.
3.3.2. PopProve
This function recomputes the public key coresponding to the input SK.
Implementations MAY instead implement an interface that takes the
public key as input.
Note that the point P and the point_to_pubkey and point_to_signature
functions are defined in Section 2.2. The hash_pubkey_to_point
function is defined in Section 3.3.1.