|
\documentclass{article}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage{amsfonts}
|
|
\usepackage{amsthm}
|
|
\usepackage{amsmath}
|
|
\usepackage{enumerate}
|
|
\usepackage{hyperref}
|
|
\hypersetup{
|
|
colorlinks,
|
|
citecolor=black,
|
|
filecolor=black,
|
|
linkcolor=black,
|
|
urlcolor=blue
|
|
}
|
|
\usepackage{xcolor}
|
|
|
|
% prevent warnings of underfull \hbox:
|
|
\usepackage{etoolbox}
|
|
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
|
|
|
|
\theoremstyle{definition}
|
|
\newtheorem{definition}{Def}[section]
|
|
\newtheorem{theorem}[definition]{Thm}
|
|
|
|
|
|
\title{Notes on BLS Signatures}
|
|
\author{arnaucube}
|
|
\date{}
|
|
|
|
\begin{document}
|
|
|
|
\maketitle
|
|
|
|
\begin{abstract}
|
|
Notes taken while reading about BLS signatures \cite{bls-sig-eth2}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
|
|
|
|
The notes are not complete, don't include all the steps neither all the proofs.
|
|
\end{abstract}
|
|
|
|
% \tableofcontents
|
|
|
|
\section{BLS signatures}
|
|
|
|
\paragraph{Key generation}
|
|
$sk \in \mathbb{Z}_q$, $pk = [sk] \cdot g_1$, where $g_1 \in G_1$, and is the generator.
|
|
|
|
\paragraph{Signature}
|
|
$$\sigma = [sk] \cdot H(m)$$
|
|
where $H$ is a function that maps to a point in $G_2$. So $H(m), \sigma \in G_2$.
|
|
|
|
\paragraph{Verification}
|
|
$$e(g_1, \sigma) == e(pk, H(m))$$
|
|
|
|
Unfold:
|
|
$$e(pk, H(m)) = e([sk] \cdot g_1, H(m) = e(g_1, H(m))^{sk} = e(g_1, [sk] \cdot H(m)) = e(g_1, \sigma))$$
|
|
|
|
\paragraph{Aggregation}
|
|
Signatures aggregation:
|
|
$$\sigma_{aggr} = \sigma_1 + \sigma_2 + \ldots + \sigma_n$$
|
|
where $\sigma_{aggr} \in G_2$, and an aggregated signatures is indistinguishible from a non-aggregated signature.
|
|
|
|
\vspace{0.5cm}
|
|
Public keys aggregation:
|
|
$$pk_{aggr} = pk_1 + pk_2 + \ldots + pk_n$$
|
|
where $pk_{aggr} \in G_1$, and an aggregated public keys is indistinguishible from a non-aggregated public key.
|
|
|
|
|
|
\paragraph{Verification of aggregated signatures}
|
|
Identical to verification of a normal signature as long as we use the same corresponding aggregated public key:
|
|
$$e(g_1, \sigma_{aggr})==e(pk_{aggr}, H(m))$$
|
|
|
|
Unfold:
|
|
$$\fbox{e(pk_{aggr}, H(m))}= e(pk_1 + pk_2 + \ldots + pk_n, H(m)) =$$
|
|
$$=e([sk_1] \cdot g_1 + [sk_2] \cdot g_1 + \ldots + [sk_n] \cdot g_1, H(m))=$$
|
|
$$=e([sk_1 + sk_2 + \ldots + sk_n] \cdot g_1, H(m))=$$
|
|
$$=[sk_1 + sk_2 + \ldots + sk_n]~\cdot~e(g_1, H(m))=$$
|
|
$$=e(g_1, [sk_1 + sk_2 + \ldots + sk_n] \cdot H(m))=$$
|
|
$$=e(g_1, [sk_1] \cdot H(m) + [sk_2] \cdot H(m) + \ldots + [sk_n] \cdot H(m))=$$
|
|
$$=e(g_1, \sigma_1 + \sigma_2 + \ldots + \sigma_n)= \fbox{e(g_1, \sigma_{aggr})}$$
|
|
|
|
|
|
Note: in the current notes $pk \in G_1$ and $\sigma, H(m) \in G_2$, but we could use $\sigma, H(m) \in G_1$ and $pk \in G_2$.
|
|
|
|
\bibliography{paper-notes.bib}
|
|
\bibliographystyle{unsrt}
|
|
|
|
\end{document}
|