forked from cfrg/draft-irtf-cfrg-bls-signature
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-irtf-cfrg-bls-signature-02.xml
1252 lines (1123 loc) · 51.8 KB
/
draft-irtf-cfrg-bls-signature-02.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.nl" -->
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' []>
<rfc ipr="trust200902" xml:lang="en" consensus="yes" docName="draft-irtf-cfrg-bls-signature-02" category="info">
<?rfc toc="yes"?><?rfc symrefs="yes"?><?rfc sortrefs="yes"?><?rfc compact="yes"?><?rfc subcompact="no"?><?rfc comments="no"?>
<front>
<title abbrev="BLS-signature">draft-irtf-cfrg-bls-signature-02</title><author initials="D." surname="Boneh" fullname="Dan Boneh"><organization>Stanford University</organization><address><postal><street></street>
<country>USA</country>
</postal><email>[email protected]</email>
</address></author>
<author initials="S." surname="Gorbunov" fullname="Sergey Gorbunov"><organization>Algorand and University of Waterloo</organization><address><postal><street></street>
<city>Boston, MA</city>
<country>USA</country>
</postal><email>[email protected]</email>
</address></author>
<author initials="R." surname="Wahby" fullname="Riad S. Wahby"><organization>Stanford University</organization><address><postal><street></street>
<country>USA</country>
</postal><email>[email protected]</email>
</address></author>
<author initials="H." surname="Wee" fullname="Hoeteck Wee"><organization>Algorand and ENS, Paris</organization><address><postal><street></street>
<city>Boston, MA</city>
<country>USA</country>
</postal><email>[email protected]</email>
</address></author>
<author initials="Z." surname="Zhang" fullname="Zhenfei Zhang"><organization>Algorand</organization><address><postal><street></street>
<city>Boston, MA</city>
<country>USA</country>
</postal><email>[email protected]</email>
</address></author>
<date year="2020" month="March" day="9"></date>
<area>Internet</area><workgroup>CFRG</workgroup>
<abstract><t>BLS is a digital signature scheme with aggregation properties.
Given set of signatures (signature_1, ..., signature_n) anyone can produce
an aggregated signature. Aggregation can also be done on secret keys and
public keys. Furthermore, the BLS signature scheme is deterministic, non-malleable,
and efficient. Its simplicity and cryptographic properties allows it
to be useful in a variety of use-cases, specifically when minimal
storage space or bandwidth are required.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>A signature scheme is a fundamental cryptographic primitive
that is used to protect authenticity and integrity of communication.
Only the holder of a secret key can sign messages, but anyone can
verify the signature using the associated public key.</t>
<t>Signature schemes are used in point-to-point secure communication
protocols, PKI, remote connections, etc.
Designing efficient and secure digital signature is very important
for these applications.</t>
<t>This document describes the BLS signature scheme. The scheme enjoys a variety
of important efficiency properties:</t>
<t>
<list style="numbers">
<t>The public key and the signatures are encoded as single group elements.</t>
<t>Verification requires 2 pairing operations.</t>
<t>A collection of signatures (signature_1, ..., signature_n) can be aggregated
into a single signature. Moreover, the aggregate signature can
be verified using only n+1 pairings (as opposed to 2n pairings, when verifying
n signatures separately).</t>
</list>
</t>
<t>Given the above properties,
the scheme enables many interesting applications.
The immediate applications include</t>
<t>
<list style="symbols">
<t>Authentication and integrity for Public Key Infrastructure (PKI) and blockchains.
<list style="symbols">
<t>The usage is similar to classical digital signatures, such as ECDSA.</t>
</list></t>
<t>Aggregating signature chains for PKI and Secure Border Gateway Protocol (SBGP).
<list style="symbols">
<t>Concretely, in a PKI signature chain of depth n, we have n signatures by n
certificate authorities on n distinct certificates. Similarly, in SBGP,
each router receives a list of n signatures attesting to a path of length n
in the network. In both settings, using the BLS signature scheme would allow us
to aggregate the n signatures into a single signature.</t>
</list></t>
<t>consensus protocols for blockchains.
<list style="symbols">
<t>There, BLS signatures
are used for authenticating transactions as well as votes during the consensus
protocol, and the use of aggregation significantly reduces the bandwidth
and storage requirements.</t>
</list></t>
</list>
</t>
<section anchor="comparison-with-ecdsa" title="Comparison with ECDSA">
<t>The following comparison assumes BLS signatures with curve BLS12-381, targeting
128 bits security.</t>
<t>For 128 bits security, ECDSA takes 37 and 79 micro-seconds to sign and verify
a signature on a typical laptop. In comparison, for the same level of security,
BLS takes 370 and 2700 micro-seconds to sign and verify
a signature.</t>
<t>In terms of sizes, ECDSA uses 32 bytes for public keys and 64 bytes for signatures;
while BLS uses 96 bytes for public keys, and 48 bytes for signatures.
Alternatively, BLS can also be instantiated with 48 bytes of public keys and 96 bytes
of signatures.
BLS also allows for signature aggregation. In other words, a single signature is
sufficient to authenticate multiple messages and public keys.</t>
</section>
<section anchor="organization-of-this-document" title="Organization of this document">
<t>This document is organized as follows:</t>
<t>
<list style="symbols">
<t>The remainder of this section defines terminology and the high-level API.</t>
<t><xref target="coreops"></xref> defines primitive operations used in the BLS signature scheme.
These operations MUST NOT be used alone.</t>
<t><xref target="schemes"></xref> defines three BLS Signature schemes giving slightly different
security and performance properties.</t>
<t><xref target="ciphersuites"></xref> defines the format for a ciphersuites and gives recommended ciphersuites.</t>
<t>The appendices give test vectors, etc.</t>
</list>
</t>
</section>
<section anchor="definitions" title="Terminology and definitions">
<t>The following terminology is used through this document:</t>
<t>
<list style="symbols">
<t>SK: The secret key for the signature scheme.</t>
<t>PK: The public key for the signature scheme.</t>
<t>message: The input to be signed by the signature scheme.</t>
<t>signature: The digital signature output.</t>
<t>aggregation: Given a list of signatures for a list of messages and public keys,
an aggregation algorithm generates one signature that authenticates the same
list of messages and public keys.</t>
<t>rogue key attack:
An attack in which a specially crafted public key (the "rogue" key) is used
to forge an aggregated signature.
<xref target="schemes"></xref> specifies methods for securing against rogue key attacks.</t>
</list>
</t>
<t>The following notation and primitives are used:</t>
<t>
<list style="symbols">
<t>a || b denotes the concatenation of octet strings a and b.</t>
<t>A pairing-friendly elliptic curve defines the following primitives
(see <xref target="I-D.irtf-cfrg-pairing-friendly-curves"></xref> for detailed discussion):
<list style="symbols">
<t>E1, E2: elliptic curve groups defined over finite fields.
This document assumes that E1 has a more compact representation than
E2, i.e., because E1 is defined over a smaller field than E2.</t>
<t>G1, G2: subgroups of E1 and E2 (respectively) having prime order r.</t>
<t>P1, P2: distinguished points that generate G1 and G2, respectively.</t>
<t>GT: a subgroup, of prime order r, of the multiplicative group of a field extension.</t>
<t>e : G1 x G2 -> GT: a non-degenerate bilinear map.</t>
</list></t>
<t>For the above pairing-friendly curve, this document
writes operations in E1 and E2 in additive notation, i.e.,
P + Q denotes point addition and x * P denotes scalar multiplication.
Operations in GT are written in multiplicative notation, i.e., a * b
is field multiplication.</t>
</list>
</t>
<t>
<list style="symbols">
<t>For each of E1 and E2 defined by the above pairing-friendly curve,
we assume that the pairing-friendly elliptic curve definition provides
several primitives, described below.<vspace />
Note that these primitives are named generically.
When referring to one of these primitives for a specific group,
this document appends the name of the group, e.g.,
point_to_octets_E1, subgroup_check_E2, etc.
<list style="symbols">
<t>point_to_octets(P) -> ostr: returns the canonical representation of
the point P as an octet string.
This operation is also known as serialization.</t>
<t>octets_to_point(ostr) -> P: returns the point P corresponding to the
canonical representation ostr, or INVALID if ostr is not a valid output
of point_to_octets.
This operation is also known as deserialization.</t>
<t>subgroup_check(P) -> VALID or INVALID: returns VALID when the point P
is an element of the subgroup of order r, and INVALID otherwise.
This function can always be implemented by checking that r * P is equal
to the identity element. In some cases, faster checks may also exist,
e.g., <xref target="Bowe19"></xref>.</t>
</list></t>
<t>I2OSP and OS2IP are the functions defined in <xref target="RFC8017"></xref>, Section 4.</t>
<t>hash_to_point(ostr) -> P: a cryptographic hash function that takes as input an
arbitrary octet string and returns a point on an elliptic curve.
Functions of this kind are defined in <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.
Each of the ciphersuites in <xref target="ciphersuites"></xref> specifies the hash_to_point
algorithm to be used.</t>
</list>
</t>
</section>
<section anchor="blsapi" title="API">
<t>The BLS signature scheme defines the following API:</t>
<t>
<list style="symbols">
<t>KeyGen(IKM) -> SK: a key generation algorithm that
takes as input an octet string comprising secret keying material,
and outputs a secret key SK.</t>
<t>SkToPk(SK) -> PK: an algorithm that takes as input a secret key
and outputs the corresponding public key.</t>
<t>Sign(SK, message) -> signature: a signing algorithm that generates a
deterministic signature given a secret key SK and a message.</t>
<t>Verify(PK, message, signature) -> VALID or INVALID:
a verification algorithm that outputs VALID if signature is a valid
signature of message under public key PK, and INVALID otherwise.</t>
<t>Aggregate((signature_1, ..., signature_n)) -> signature:
an aggregation algorithm that aggregates a collection of signatures
into a single signature.</t>
<t>AggregateVerify((PK_1, ..., PK_n), (message_1, ..., message_n), signature) -> VALID or INVALID:
an aggregate verification algorithm that outputs VALID if signature
is a valid aggregated signature for a collection of public keys and messages,
and outputs INVALID otherwise.</t>
</list>
</t>
</section>
<section anchor="requirements" title="Requirements">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"></xref>.</t>
</section>
</section>
<section anchor="coreops" title="Core operations">
<t>This section defines core operations used by the schemes defined in <xref target="schemes"></xref>.
These operations MUST NOT be used except as described in that section.</t>
<section anchor="corevariants" title="Variants">
<t>Each core operation has two variants that trade off signature
and public key size:</t>
<t>
<list style="numbers">
<t>Minimal-signature-size: signatures are points in G1,
public keys are points in G2.
(Recall from <xref target="definitions"></xref> that E1 has a more compact representation than E2.)</t>
<t>Minimal-pubkey-size: public keys are points in G1,
signatures are points in G2.<vspace />
Implementations using signature aggregation SHOULD use this approach,
since the size of (PK_1, ..., PK_n, signature) is dominated by
the public keys even for small n.</t>
</list>
</t>
</section>
<section anchor="coreparams" title="Parameters">
<t>The core operations in this section depend on several parameters:</t>
<t>
<list style="symbols">
<t>A signature variant, either minimal-signature-size or minimal-pubkey-size.
These are defined in <xref target="corevariants"></xref>.</t>
<t>A pairing-friendly elliptic curve, plus associated functionality
given in <xref target="definitions"></xref>.</t>
<t>H, a hash function that MUST be a secure cryptographic hash function,
e.g., SHA-256 <xref target="FIPS180-4"></xref>.
For security, H MUST output at least ceil(log2(r)) bits, where r is
the order of the subgroups G1 and G2 defined by the pairing-friendly
elliptic curve.</t>
<t>hash_to_point, a function whose interface is described in <xref target="definitions"></xref>.
When the signature variant is minimal-signature-size, this function
MUST output a point in G1.
When the signature variant is minimal-pubkey size, this function
MUST output a point in G2.
For security, this function MUST be either a random oracle encoding or a
nonuniform encoding, as defined in <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.</t>
</list>
</t>
<t>In addition, the following primitives are determined by the above parameters:</t>
<t>
<list style="symbols">
<t>P, an elliptic curve point.
When the signature variant is minimal-signature-size, P is the
distinguished point P2 that generates the group G2 (see <xref target="definitions"></xref>).
When the signature variant is minimal-pubkey-size, P is the
distinguished point P1 that generates the group G1.</t>
<t>r, the order of the subgroups G1 and G2 defined by the pairing-friendly curve.</t>
<t>pairing, a function that invokes the function e of <xref target="definitions"></xref>,
with argument order depending on signature variant:
<list style="symbols">
<t>For minimal-signature-size:<vspace />
pairing(U, V) := e(U, V)</t>
<t>For minimal-pubkey-size:<vspace />
pairing(U, V) := e(V, U)</t>
</list></t>
<t>point_to_pubkey and point_to_signature, functions that invoke the
appropriate serialization routine (<xref target="definitions"></xref>) depending on
signature variant:
<list style="symbols">
<t>For minimal-signature-size:<vspace />
point_to_pubkey(P) := point_to_octets_E2(P)<vspace />
point_to_signature(P) := point_to_octets_E1(P)</t>
<t>For minimal-pubkey-size:<vspace />
point_to_pubkey(P) := point_to_octets_E1(P)<vspace />
point_to_signature(P) := point_to_octets_E2(P)</t>
</list></t>
<t>pubkey_to_point and signature_to_point, functions that invoke the
appropriate deserialization routine (<xref target="definitions"></xref>) depending on
signature variant:
<list style="symbols">
<t>For minimal-signature-size:<vspace />
pubkey_to_point(ostr) := octets_to_point_E2(ostr)<vspace />
signature_to_point(ostr) := octets_to_point_E1(ostr)</t>
<t>For minimal-pubkey-size:<vspace />
pubkey_to_point(ostr) := octets_to_point_E1(ostr)<vspace />
signature_to_point(ostr) := octets_to_point_E2(ostr)</t>
</list></t>
<t>pubkey_subgroup_check and signature_subgroup_check, functions
that invoke the appropriate subgroup check routine (<xref target="definitions"></xref>)
depending on signature variant:
<list style="symbols">
<t>For minimal-signature-size:<vspace />
pubkey_subgroup_check(P) := subgroup_check_E2(P)<vspace />
signature_subgroup_check(P) := subgroup_check_E1(P)</t>
<t>For minimal-pubkey-size:<vspace />
pubkey_subgroup_check(P) := subgroup_check_E1(P)<vspace />
signature_subgroup_check(P) := subgroup_check_E2(P)</t>
</list></t>
</list>
</t>
</section>
<section anchor="keygen" title="KeyGen">
<t>The KeyGen algorithm generates a secret key SK deterministically from
a secret octet string IKM.</t>
<t>KeyGen uses HKDF <xref target="RFC5869"></xref> instantiated with the hash function H.</t>
<t>For security, IKM MUST be infeasible to guess, e.g.,
generated by a trusted source of randomness.
IKM MUST be at least 32 bytes long, but it MAY be longer.</t>
<t>Because KeyGen is deterministic, implementations MAY choose either to store
the resulting SK or to store IKM and call KeyGen to derive SK when necessary.</t>
<t>KeyGen takes an optional parameter, key_info.
This parameter MAY be used to derive multiple independent keys from the same IKM.
By default, key_info is the empty string.</t>
<figure><artwork>SK = KeyGen(IKM)
Inputs:
- IKM, a secret octet string. See requirements above.
Outputs:
- SK, a uniformly random integer such that 0 <= SK < r.
Parameters:
- key_info, an optional octet string.
If key_info is not supplied, it defaults to the empty string.
Definitions:
- HKDF-Extract is as defined in RFC5869, instantiated with hash H.
- HKDF-Expand is as defined in RFC5869, instantiated with hash H.
- I2OSP and OS2IP are as defined in RFC8017, Section 4.
- L is the integer given by ceil((3 * ceil(log2(r))) / 16).
- "BLS-SIG-KEYGEN-SALT-" is an ASCII string comprising 20 octets.
Procedure:
1. PRK = HKDF-Extract("BLS-SIG-KEYGEN-SALT-", IKM || I2OSP(0, 1))
2. OKM = HKDF-Expand(PRK, key_info || I2OSP(L, 2), L)
3. SK = OS2IP(OKM) mod r
4. return SK
</artwork></figure>
</section>
<section anchor="sktopk" title="SkToPk">
<t>The SkToPk algorithm takes a secret key SK and outputs the corresponding
public key PK.</t>
<t>SK MUST be indistinguishable from uniformly random modulo r (<xref target="coreparams"></xref>)
and infeasible to guess, e.g., generated using a trusted source of randomness.
KeyGen (<xref target="keygen"></xref>) outputs SK meeting these requirements.
Other key generation approaches meeting these requirements MAY also be used;
details of such methods are beyond the scope of this document.</t>
<figure><artwork>PK = SkToPk(SK)
Inputs:
- SK, a secret integer such that 0 <= SK < r.
Outputs:
- PK, a public key encoded as an octet string.
Procedure:
1. xP = SK * P
2. PK = point_to_pubkey(xP)
3. return PK
</artwork></figure>
</section>
<section anchor="keyvalidate" title="KeyValidate">
<t>The KeyValidate algorithm ensures that a public key is valid.</t>
<t>As an optimization, implementations MAY cache the result of KeyValidate
in order to avoid unnecessarily repeating validation for known keys.</t>
<figure><artwork>result = KeyValidate(PK)
Inputs:
- PK, a public key in the format output by SkToPk.
Outputs:
- result, either VALID or INVALID
Procedure:
1. xP = pubkey_to_point(PK)
2. If xP is INVALID, return INVALID
3. If pubkey_subgroup_check(xP) is INVALID, return INVALID
4. return VALID
</artwork></figure>
</section>
<section anchor="coresign" title="CoreSign">
<t>The CoreSign algorithm computes a signature from SK, a secret key,
and message, an octet string.</t>
<figure><artwork>signature = CoreSign(SK, message)
Inputs:
- SK, a secret key in the format output by KeyGen.
- message, an octet string.
Outputs:
- signature, an octet string.
Procedure:
1. Q = hash_to_point(message)
2. R = SK * Q
3. signature = point_to_signature(R)
4. return signature
</artwork></figure>
</section>
<section anchor="coreverify" title="CoreVerify">
<t>The CoreVerify algorithm checks that a signature is valid for
the octet string message under the public key PK.</t>
<figure><artwork>result = CoreVerify(PK, message, signature)
Inputs:
- PK, a public key in the format output by SkToPk.
- message, an octet string.
- signature, an octet string in the format output by CoreSign.
Outputs:
- result, either VALID or INVALID.
Procedure:
1. R = signature_to_point(signature)
2. If R is INVALID, return INVALID
3. If signature_subgroup_check(R) is INVALID, return INVALID
4. If KeyValidate(PK) is INVALID, return INVALID
5. xP = pubkey_to_point(PK)
6. Q = hash_to_point(message)
7. C1 = pairing(Q, xP)
8. C2 = pairing(R, P)
9. If C1 == C2, return VALID, else return INVALID
</artwork></figure>
</section>
<section anchor="aggregate" title="Aggregate">
<t>The Aggregate algorithm aggregates multiple signatures into one.</t>
<figure><artwork>signature = Aggregate((signature_1, ..., signature_n))
Inputs:
- signature_1, ..., signature_n, octet strings output by
either CoreSign or Aggregate.
Outputs:
- signature, an octet string encoding a aggregated signature
that combines all inputs; or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. aggregate = signature_to_point(signature_1)
2. If aggregate is INVALID, return INVALID
3. for i in 2, ..., n:
4. next = signature_to_point(signature_i)
5. If next is INVALID, return INVALID
6. aggregate = aggregate + next
7. signature = point_to_signature(aggregate)
8. return signature
</artwork></figure>
</section>
<section anchor="coreaggregateverify" title="CoreAggregateVerify">
<t>The CoreAggregateVerify algorithm checks an aggregated signature
over several (PK, message) pairs.</t>
<figure><artwork>result = CoreAggregateVerify((PK_1, ..., PK_n),
(message_1, ... message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. R = signature_to_point(signature)
2. If R is INVALID, return INVALID
3. If signature_subgroup_check(R) is INVALID, return INVALID
4. C1 = 1 (the identity element in GT)
5. for i in 1, ..., n:
6. If KeyValidate(PK_i) is INVALID, return INVALID
7. xP = pubkey_to_point(PK_i)
8. Q = hash_to_point(message_i)
9. C1 = C1 * pairing(Q, xP)
10. C2 = pairing(R, P)
11. If C1 == C2, return VALID, else return INVALID
</artwork></figure>
</section>
</section>
<section anchor="schemes" title="BLS Signatures">
<t>This section defines three signature schemes: basic, message augmentation,
and proof of possession.
These schemes differ in the ways that they defend against rogue key
attacks (<xref target="definitions"></xref>).</t>
<t>All of the schemes in this section are built on a set of core operations
defined in <xref target="coreops"></xref>.
Thus, defining a scheme requires fixing a set of parameters as
defined in <xref target="coreparams"></xref>.</t>
<t>All three schemes expose the KeyGen, SkToPk, and Aggregate operations
that are defined in <xref target="coreops"></xref>.
The sections below define the other API functions (<xref target="blsapi"></xref>)
for each scheme.</t>
<section anchor="schemenul" title="Basic scheme">
<t>In a basic scheme, rogue key attacks are handled by requiring
all messages signed by an aggregate signature to be distinct.
This requirement is enforced in the definition of AggregateVerify.</t>
<t>The Sign and Verify functions are identical to CoreSign and
CoreVerify (<xref target="coreops"></xref>), respectively.
AggregateVerify is defined below.</t>
<section anchor="aggregateverify" title="AggregateVerify">
<t>This function first ensures that all messages are distinct, and then
invokes CoreAggregateVerify.</t>
<figure><artwork>result = AggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. If any two input messages are equal, return INVALID.
2. return CoreAggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
</artwork></figure>
</section>
</section>
<section anchor="schemeaug" title="Message augmentation">
<t>In a message augmentation scheme, signatures are generated
over the concatenation of the public key and the message,
ensuring that messages signed by different public keys are
distinct.</t>
<section anchor="sign" title="Sign">
<t>To match the API for Sign defined in <xref target="blsapi"></xref>, this function
recomputes the public key corresponding to the input SK.
Implementations MAY instead implement an interface that takes
the public key as an input.</t>
<t>Note that the point P and the point_to_pubkey function are
defined in <xref target="coreparams"></xref>.</t>
<figure><artwork>signature = Sign(SK, message)
Inputs:
- SK, a secret key in the format output by KeyGen.
- message, an octet string.
Outputs:
- signature, an octet string.
Procedure:
1. PK = SkToPk(SK)
2. return CoreSign(SK, PK || message)
</artwork></figure>
</section>
<section anchor="verify" title="Verify">
<figure><artwork>result = Verify(PK, message, signature)
Inputs:
- PK, a public key in the format output by SkToPk.
- message, an octet string.
- signature, an octet string in the format output by CoreSign.
Outputs:
- result, either VALID or INVALID.
Procedure:
1. return CoreVerify(PK, PK || message, signature)
</artwork></figure>
</section>
<section anchor="aggregateverify-1" title="AggregateVerify">
<figure><artwork>result = AggregateVerify((PK_1, ..., PK_n),
(message_1, ..., message_n),
signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message_1, ..., message_n, octet strings.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. for i in 1, ..., n:
2. mprime_i = PK_i || message_i
3. return CoreAggregateVerify((PK_1, ..., PK_n),
(mprime_1, ..., mprime_n),
signature)
</artwork></figure>
</section>
</section>
<section anchor="schemepop" title="Proof of possession">
<t>A proof of possession scheme uses a separate public key
validation step, called a proof of possession, to defend against
rogue key attacks.
This enables an optimization to aggregate signature verification
for the case that all signatures are on the same message.</t>
<t>The Sign, Verify, and AggregateVerify functions
are identical to CoreSign, CoreVerify, and CoreAggregateVerify
(<xref target="coreops"></xref>), respectively.
In addition, a proof of possession scheme defines three functions beyond
the standard API (<xref target="blsapi"></xref>):</t>
<t>
<list style="symbols">
<t>PopProve(SK) -> proof: an algorithm that generates a proof of possession
for the public key corresponding to secret key SK.</t>
<t>PopVerify(PK, proof) -> VALID or INVALID:
an algorithm that outputs VALID if proof is valid for PK, and INVALID otherwise.</t>
<t>FastAggregateVerify((PK_1, ..., PK_n), message, signature) -> VALID or INVALID:
a verification algorithm for the aggregate of multiple signatures on
the same message.
This function is faster than AggregateVerify.</t>
</list>
</t>
<t>All public keys used by Verify, AggregateVerify, and FastAggregateVerify
MUST be accompanied by a proof of possession, and the result of evaluating
PopVerify on the public key and proof MUST be VALID.</t>
<section anchor="popparams" title="Parameters">
<t>In addition to the parameters required to instantiate the core operations
(<xref target="coreparams"></xref>), a proof of possession scheme requires one further parameter:</t>
<t>
<list style="symbols">
<t>hash_pubkey_to_point(PK) -> P: a cryptographic hash function that takes as
input a public key and outputs a point in the same subgroup as the
hash_to_point algorithm used to instantiate the core operations.<vspace />
For security, this function MUST be domain separated from the hash_to_point function.
In addition, this function MUST be either a random oracle encoding or a
nonuniform encoding, as defined in <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.<vspace />
The RECOMMENDED way of instantiating hash_pubkey_to_point is to use
the same hash-to-curve function as hash_to_point, with a
different domain separation tag (see <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>, Section 3.1).
<xref target="ciphersuites-format"></xref> discusses the RECOMMENDED way to construct the
domain separation tag.</t>
</list>
</t>
</section>
<section anchor="popprove" title="PopProve">
<t>This function recomputes the public key coresponding to the input SK.
Implementations MAY instead implement an interface that takes the
public key as input.</t>
<t>Note that the point P and the point_to_pubkey and point_to_signature
functions are defined in <xref target="coreparams"></xref>.
The hash_pubkey_to_point function is defined in <xref target="popparams"></xref>.</t>
<figure><artwork>proof = PopProve(SK)
Inputs:
- SK, a secret key in the format output by KeyGen.
Outputs:
- proof, an octet string.
Procedure:
1. PK = SkToPk(SK)
2. Q = hash_pubkey_to_point(PK)
3. R = SK * Q
4. proof = point_to_signature(R)
5. return proof
</artwork></figure>
</section>
<section anchor="popverify" title="PopVerify">
<t>PopVerify uses several functions defined in <xref target="coreops"></xref>.
The hash_pubkey_to_point function is defined in <xref target="popparams"></xref>.</t>
<t>As an optimization, implementations MAY cache the result of PopVerify
in order to avoid unnecessarily repeating validation for known keys.</t>
<figure><artwork>result = PopVerify(PK, proof)
Inputs:
- PK, a public key in the format output by SkToPk.
- proof, an octet string in the format output by PopProve.
Outputs:
- result, either VALID or INVALID
Procedure:
1. R = signature_to_point(proof)
2. If R is INVALID, return INVALID
3. If signature_subgroup_check(R) is INVALID, return INVALID
4. If KeyValidate(PK) is INVALID, return INVALID
5. xP = pubkey_to_point(PK)
6. Q = hash_pubkey_to_point(PK)
7. C1 = pairing(Q, xP)
8. C2 = pairing(R, P)
9. If C1 == C2, return VALID, else return INVALID
</artwork></figure>
</section>
<section anchor="fastaggregateverify" title="FastAggregateVerify">
<t>FastAggregateVerify uses several functions defined in <xref target="coreops"></xref>.</t>
<figure><artwork>result = FastAggregateVerify((PK_1, ..., PK_n), message, signature)
Inputs:
- PK_1, ..., PK_n, public keys in the format output by SkToPk.
- message, an octet string.
- signature, an octet string output by Aggregate.
Outputs:
- result, either VALID or INVALID.
Precondition: n >= 1, otherwise return INVALID.
Procedure:
1. aggregate = pubkey_to_point(PK_1)
2. for i in 2, ..., n:
3. next = pubkey_to_point(PK_i)
4. aggregate = aggregate + next
5. PK = point_to_pubkey(aggregate)
6. return CoreVerify(PK, message, signature)
</artwork></figure>
</section>
</section>
</section>
<section anchor="ciphersuites" title="Ciphersuites">
<t>This section defines the format for a BLS ciphersuite.
It also gives concrete ciphersuites based on the BLS12-381 pairing-friendly
elliptic curve <xref target="I-D.irtf-cfrg-pairing-friendly-curves"></xref>.</t>
<section anchor="ciphersuites-format" title="Ciphersuite format">
<t>A ciphersuite specifies all parameters from <xref target="coreparams"></xref>,
a scheme from <xref target="schemes"></xref>, and any parameters the scheme requires.
In particular, a ciphersuite comprises:</t>
<t>
<list style="symbols">
<t>ID: the ciphersuite ID, an ASCII string. The REQUIRED format for
this string is<vspace />
"BLS_SIG_" || H2C_SUITE_ID || SC_TAG || "_"
<list style="symbols">
<t>Strings in double quotes are ASCII-encoded literals.</t>
<t>H2C_SUITE_ID is the suite ID of the hash-to-curve suite
used to define the hash_to_point and hash_pubkey_to_point
functions.</t>
<t>SC_TAG is a string indicating the scheme and, optionally, additional information.
The first three characters of this string MUST chosen as follows:
<list style="symbols">
<t>"NUL" if SC is basic,</t>
<t>"AUG" if SC is message-augmentation, or</t>
<t>"POP" if SC is proof-of-possession.</t>
<t>Other values MUST NOT be used.</t>
</list>
<vspace />
SC_TAG MAY be used to encode other information about the
ciphersuite, for example, a version number.
When used in this way, SC_TAG MUST contain only ASCII characters
between 0x21 and 0x7e (inclusive), except that it MUST NOT contain
underscore (0x5f).<vspace />
The RECOMMENDED way to add user-defined information to SC_TAG is to
append a colon (':', ASCII 0x3a) and then the informational string.
For example, "NUL:version=2" is an appropriate SC_TAG value.</t>
</list>
<vspace />
Note that hash-to-curve suite IDs always include a trailing underscore,
so no field separator is needed between H2C_SUITE_ID and SC_TAG.</t>
<t>SC: the scheme, one of basic, message-augmentation, or proof-of-possession.</t>
<t>SV: the signature variant, either minimal-signature-size or
minimal-pubkey-size.</t>
<t>EC: a pairing-friendly elliptic curve, plus all associated functionality
(<xref target="definitions"></xref>).</t>
<t>H: a cryptographic hash function.</t>
<t>hash_to_point: a hash from arbitrary strings to elliptic curve points.
hash_to_point MUST be defined in terms of a hash-to-curve suite <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.<vspace />
The RECOMMENDED hash-to-curve domain separation tag is the ciphersuite ID string defined above.</t>
<t>hash_pubkey_to_point (only specified when SC is proof-of-possession):
a hash from serialized public keys to elliptic curve points.
hash_pubkey_to_point MUST be defined in terms of a
hash-to-curve suite <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.<vspace />
The hash-to-curve domain separation tag MUST be distinct from the domain
separation tag used for hash_to_point.
It is RECOMMENDED that the domain separation tag be constructed similarly to
the ciphersuite ID string, namely:<vspace />
"BLS_POP_" || H2C_SUITE_ID || SC_TAG || "_"</t>
</list>
</t>
</section>
<section anchor="ciphersuites-for-bls12-381" title="Ciphersuites for BLS12-381">
<t>The following ciphersuites are all built on the BLS12-381 elliptic curve.
The required primitives for this curve are given in <xref target="bls12381def"></xref>.</t>
<t>These ciphersuites use the hash-to-curve suites
BLS12381G1_XMD:SHA-256_SSWU_RO_ and
BLS12381G2_XMD:SHA-256_SSWU_RO_
defined in <xref target="I-D.irtf-cfrg-hash-to-curve"></xref>, Section 8.7.
Each ciphersuite defines a unique hash_to_point function by specifying
a domain separation tag (see [@I-D.irtf-cfrg-hash-to-curve, Section 3.1).</t>
<section anchor="basic" title="Basic">
<t>BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_ is defined as follows:</t>
<t>
<list style="symbols">
<t>SC: basic</t>
<t>SV: minimal-signature-size</t>
<t>EC: BLS12-381, as defined in <xref target="bls12381def"></xref>.</t>
<t>H: SHA-256</t>
<t>hash_to_point: BLS12381G1_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_</t>
</list>
</t>
<t>BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_ is identical to
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_, except for the
following parameters:</t>
<t>
<list style="symbols">
<t>SV: minimal-pubkey-size</t>
<t>hash_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_</t>
</list>
</t>
</section>
<section anchor="message-augmentation" title="Message augmentation">
<t>BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_AUG_ is defined as follows:</t>
<t>
<list style="symbols">
<t>SC: message-augmentation</t>
<t>SV: minimal-signature-size</t>
<t>EC: BLS12-381, as defined in <xref target="bls12381def"></xref>.</t>
<t>H: SHA-256</t>
<t>hash_to_point: BLS12381G1_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_AUG_</t>
</list>
</t>
<t>BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_AUG_ is identical to
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_AUG_, except for the
following parameters:</t>
<t>
<list style="symbols">
<t>SV: minimal-pubkey-size</t>
<t>hash_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_AUG_</t>
</list>
</t>
</section>
<section anchor="proof-of-possession" title="Proof of possession">
<t>BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_POP_ is defined as follows:</t>
<t>
<list style="symbols">
<t>SC: proof-of-possession</t>
<t>SV: minimal-signature-size</t>
<t>EC: BLS12-381, as defined in <xref target="bls12381def"></xref>.</t>
<t>H: SHA-256</t>
<t>hash_to_point: BLS12381G1_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_POP_</t>
<t>hash_pubkey_to_point: BLS12381G1_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_POP_BLS12381G1_XMD:SHA-256_SSWU_RO_POP_</t>
</list>
</t>
<t>BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_ is identical to
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_POP_, except for the
following parameters:</t>
<t>
<list style="symbols">
<t>SV: minimal-pubkey-size</t>
<t>hash_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_</t>
<t>hash_pubkey_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag<vspace />
BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_</t>
</list>
</t>
</section>
</section>
</section>
<section anchor="security-considerations" title="Security Considerations">
<section anchor="pubkeyvalid" title="Validating public keys">
<t>All algorithms in <xref target="coreops"></xref> and <xref target="schemes"></xref> that operate on public keys
require first validating those keys.
For the basic and message augmentation schemes, the use of KeyValidate
is REQUIRED.
For the proof of possession scheme, each public key MUST be accompanied by
a proof of possession, and use of PopVerify is REQUIRED.</t>
</section>
<section anchor="skipping-membership-check" title="Skipping membership check">
<t>Some existing implementations skip the signature_subgroup_check invocation
in CoreVerify (<xref target="coreverify"></xref>), whose purpose is ensuring that the signature
is an element of a prime-order subgroup.
This check is REQUIRED of conforming implementations, for two reasons.</t>
<t>
<list style="numbers">
<t>For most pairing-friendly elliptic curves used in practice, the pairing
operation e (<xref target="definitions"></xref>) is undefined when its input points are not
in the prime-order subgroups of E1 and E2.
The resulting behavior is unpredictable, and may enable forgeries.</t>
<t>Even if the pairing operation behaves properly on inputs that are outside
the correct subgroups, skipping the subgroup check breaks the strong
unforgeability property <xref target="ADR02"></xref>.</t>
</list>
</t>
</section>
<section anchor="side-channel-attacks" title="Side channel attacks">
<t>Implementations of the signing algorithm SHOULD protect the secret key
from side-channel attacks.
One method for protecting against certain side-channel attacks is ensuring
that the implementation executes exactly the same sequence of
instructions and performs exactly the same memory accesses, for any
value of the secret key.
In other words, implementations on the underlying pairing-friendly elliptic
curve SHOULD run in constant time.</t>
</section>
<section anchor="randomness-considerations" title="Randomness considerations">
<t>BLS signatures are deterministic. This protects against attacks
arising from signing with bad randomness, for example, the nonce reuse
attack on ECDSA <xref target="HDWH12"></xref>.</t>
<t>As discussed in <xref target="keygen"></xref>, the IKM input to KeyGen MUST be infeasible
to guess and MUST be kept secret.
One possibility is to generate IKM from a trusted source of randomness.
Guidelines on constructing such a source are outside the scope of this
document.</t>
<t>Secret keys MAY be generated using other methods; in this case they MUST
be infeasible to guess and MUST be indistinguishable from uniformly random
modulo r.</t>
</section>
<section anchor="implementing-hash-to-point-and-hash-pubkey-to-point" title="Implementing hash_to_point and hash_pubkey_to_point">
<t>The security analysis models hash_to_point and hash_pubkey_to_point
as random oracles.
It is crucial that these functions are implemented using a cryptographically
secure hash function.
For this purpose, implementations MUST meet the requirements of
<xref target="I-D.irtf-cfrg-hash-to-curve"></xref>.</t>
<t>In addition, ciphersuites MUST specify unique domain separation tags
for hash_to_point and hash_pubkey_to_point.
The domain separation tag format used in <xref target="ciphersuites"></xref> is the RECOMMENDED one.</t>
</section>
</section>
<section anchor="implementation-status" title="Implementation Status">
<t>This section will be removed in the final version of the draft.
There are currently several implementations of BLS signatures using the BLS12-381 curve.</t>
<t>