# Boneh–Lynn–Shacham

# Boneh–Lynn–Shacham

`Incryptography, the`

**Boneh–Lynn–Shacham**(**BLS**)signature schemeallows a user to verify that a signer is*authentic*. The scheme uses abilinear pairingfor verification, and signatures are elements of anelliptic curvegroup. Working in an elliptic curve group provides some defense againstindex calculusattacks (with the caveat that such attacks are still possible in the target groupof the pairing), allowing shorter signatures thanFDHsignatures for a similarlevel of security. Signatures produced by the BLS signature scheme are often referred to as*short signatures*,*BLS short signatures*, or simply*BLS signatures*. The signature scheme isprovably secure(the scheme isexistentially unforgeableunderadaptive chosen-message attacks) assuming both the existence ofrandom oraclesand the intractability of thecomputational Diffie–Hellman problemin a gap Diffie–Hellman group.^{[1]}Pairing functions

A gap group is a group in which the computational Diffie–Hellman problem is intractable but the decisional Diffie–Hellman problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairings permit such groups.

`Letbe a non-degenerate, efficiently computable, bilinear pairing where,are groups of prime order,. Letbe a generator of. Consider an instance of theCDH problem,,,. Intuitively, the pairing functiondoes not help us compute, the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given, we may check to see ifwithout knowledge of,, and, by testing whetherholds.`

`By using the bilinear propertytimes, we see that if, then, sinceis a prime order group,.`

The scheme

A signature scheme consists of three functions: *generate*, *sign*, and *verify*.

Key generation

`The key generation algorithm selects a random integerin the interval [0,`

*r*− 1]. The private key is. The holder of the private key publishes the public key,.Signing

`Given the private key, and some message, we compute the signature by hashing the bitstring, as. We output the signature.`

Verification

`Given a signatureand a public key, we verify that.`

Properties

Simple Threshold Signatures

Signature Aggregation: Multiple signatures generated under multiple public keys for multiple messages can be aggregated into a single signature.

^{[2]}Unique and deterministic: for a given key and message, there is only one valid signature (like RSA PKCS1 v1.5, EdDSA and unlike RSA PSS, DSA, ECDSA and Schnorr).

See also

Pairing-based cryptography

## References

*Journal of Cryptology*.

**17**(4): 297–319. CiteSeerX 10.1.1.589.9141. doi:10.1007/s00145-004-0314-9.