Golden coin bitcoin

BLS signatures on Bitcoin—Pairing-based cryptography: Part 2

This post was first published on Medium.

Boneh-Lynn-Shacham (BLS) is a signature scheme based on bilinear pairings.

Compared to ECDSA or Schnorr signatures, it enjoys several salient advantages:

  • 2 times shorter
  • friendly to signature and key aggregation
  • deterministic: it does not rely on random number generators.

Due to its minimal storage and bandwidth requirements, it has been adopted by multiple blockchains such as Ethereum, Dfinity, Algorand, and Chia. We illustrate how to implement it on Bitcoin natively.

BLS Signatures: the Theory

Hash to Curve: H(m)

In ECDSA, a message m is hashed into a number. In BLS, we hash it to a point on the elliptic curve.

One naive way is to hash the message and multiply the result with the generator point G to get a curve point. However, it is insecure.

To do this securely, we first hash the message using SHA-256 and treat the 256 bit result as the x-coordinate of a point. If no such point exists on the curve, we increment the x-coordinate and try again, till we find the first valid point¹.

Sign

Signing is trivial. We simply multiply:

signing equation

pk is the private key and m is the message. Note no random number is needed. S is just a curve point and can be compressed to 33 bytes, about half the size of an ECDSA signature.

Signing illustration
Signing

Verify

To verify a signature, we simply compare two pairings:

verifying signature equation

verifying signature illustration

To see why the verification works,

bilinear pairing equation

Bilinear pairing e allows us to move scalar pk from the first input to the second.

Implementation on Bitcoin

We have implemented BLS signature verification using the pairing library.

Note we let users pass y-coordinate directly and verify it, to avoid computing modular square root².

Summary

We have only demonstrated how to verify a single BLS signature on Bitcoin. BLS’s main power lies in aggregated signatures and keys. We leave their implementations on Bitcoin as exercises to readers.

***

NOTES:

[1] This approach is called Hash and Pray, which runs in non-constant time. Constant time approach exists, such as Fouque and Tibouchi, but are harder to implement.

[2] We assume a curve point with the x-coordinate exists for ease of exposition here. A hash and pray approach can be easily added.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]