2018-12-09 14:21:34 +00:00
# BLS signature verification
2018-11-27 11:08:43 -05:00
**Warning: This document is pending academic review and should not yet be considered secure.**
2018-12-09 14:21:34 +00:00
## Table of contents
<!-- TOC -->
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
- [BLS signature verification ](#bls-signature-verification )
- [Table of contents ](#table-of-contents )
2018-12-10 10:43:42 +00:00
- [Curve parameters ](#curve-parameters )
2018-12-09 14:21:34 +00:00
- [Point representations ](#point-representations )
- [G1 points ](#g1-points )
- [G2 points ](#g2-points )
- [Helpers ](#helpers )
- [`hash_to_G2` ](#hash_to_g2 )
2018-12-09 14:43:13 +00:00
- [`modular_squareroot` ](#modular_squareroot )
2018-12-17 08:48:06 -06:00
- [Aggregation operations ](#aggregation-operations )
- [`bls_aggregate_pubkeys` ](#bls_aggregate_pubkeys )
- [`bls_aggregate_signatures` ](#bls_aggregate_signatures )
2018-12-09 14:21:34 +00:00
- [Signature verification ](#signature-verification )
- [`bls_verify` ](#bls_verify )
- [`bls_verify_multiple` ](#bls_verify_multiple )
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
<!-- /TOC -->
2018-11-27 11:08:43 -05:00
2018-12-10 10:43:42 +00:00
## Curve parameters
2018-12-09 14:43:13 +00:00
2018-12-09 14:21:34 +00:00
The BLS12-381 curve parameters are defined [here ](https://z.cash/blog/new-snark-curve ).
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
## Point representations
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
We represent points in the groups G1 and G2 following [zkcrypto/pairing ](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381 ). We denote by `q` the field modulus and by `i` the imaginary unit.
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
### G1 points
2018-11-27 11:08:43 -05:00
2018-12-10 10:34:36 +00:00
A point in G1 is represented as a 384-bit integer `z` decomposed as a 381-bit integer `x` and three 1-bit flags in the top bits:
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
* `x = z % 2**381`
* `a_flag = (z % 2**382) // 2**381`
* `b_flag = (z % 2**383) // 2**382`
* `c_flag = (z % 2**384) // 2**383`
2018-12-10 10:34:36 +00:00
Respecting bit ordering, `z` is decomposed as `(c_flag, b_flag, a_flag, x)` .
2018-12-09 14:21:34 +00:00
We require:
* `x < q`
* `c_flag == 1`
2018-12-09 23:44:44 -05:00
* if `b_flag == 1` then `a_flag == x == 0` and `z` represents the point at infinity
* if `b_flag == 0` then `z` represents the point `(x, y)` where `y` is the valid coordinate such that `(y * 2) // q == a_flag`
2018-12-09 14:21:34 +00:00
### G2 points
2018-12-09 23:44:44 -05:00
A point in G2 is represented as a pair of 384-bit integers `(z1, z2)` . We decompose `z1` as above into `x1` , `a_flag1` , `b_flag1` , `c_flag1` and `z2` into `x2` , `a_flag2` , `b_flag2` , `c_flag2` .
2018-12-09 14:21:34 +00:00
We require:
* `x1 < q` and `x2 < q`
* `a_flag2 == b_flag2 == c_flag2 == 0`
* `c_flag1 == 1`
2018-12-09 23:44:44 -05:00
* if `b_flag1 == 1` then `a_flag1 == x1 == x2 == 0` and `(z1, z2)` represents the point at infinity
* if `b_flag1 == 0` then `(z1, z2)` represents the point `(x1 * i + x2, y)` where `y` is the valid coordinate such that the imaginary part `y_im` of `y` satisfies `(y_im * 2) // q == a_flag1`
2018-12-09 14:21:34 +00:00
## Helpers
### `hash_to_G2`
2018-11-27 11:08:43 -05:00
```python
G2_cofactor = 305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109
2018-12-11 13:56:40 +00:00
q = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
2018-11-27 11:08:43 -05:00
2018-12-11 13:56:40 +00:00
def hash_to_G2(message: bytes32, domain: uint64) -> [uint384]:
2018-12-10 14:30:36 +00:00
# Initial candidate x coordinate
2019-01-10 11:52:21 +00:00
x_re = int.from_bytes(hash(message + bytes8(domain) + b'\x01'), 'big')
x_im = int.from_bytes(hash(message + bytes8(domain) + b'\x02'), 'big')
2018-12-11 13:36:34 +00:00
x_coordinate = Fq2([x_re, x_im]) # x = x_re + i * x_im
2018-12-10 14:30:36 +00:00
# Test candidate y coordinates until a one is found
2018-11-27 11:08:43 -05:00
while 1:
2018-12-11 13:36:34 +00:00
y_coordinate_squared = x_coordinate ** 3 + Fq2([4, 4]) # The curve is y^2 = x^3 + 4(i + 1)
2018-12-10 14:30:36 +00:00
y_coordinate = modular_squareroot(y_coordinate_squared)
if y_coordinate is not None: # Check if quadratic residue found
return multiply_in_G2((x_coordinate, y_coordinate), G2_cofactor)
2018-12-11 13:36:34 +00:00
x_coordinate += Fq2([1, 0]) # Add 1 and try again
2018-11-27 11:08:43 -05:00
```
2018-12-09 14:43:13 +00:00
### `modular_squareroot`
2018-11-27 11:08:43 -05:00
2019-01-28 10:28:05 -06:00
`modular_squareroot(x)` returns a solution `y` to `y**2 % q == x` , and `None` if none exists. If there are two solutions the one with higher imaginary component is favored; if both solutions have equal imaginary component the one with higher real component is favored (note that this is equivalent to saying that the single solution with either imaginary component > p/2 or imaginary component zero and real component > p/2 is favored).
2019-01-29 15:57:05 -06:00
The following is a sample implementation; implementers are free to implement modular square roots as they wish. Note that `x2 = -x1` is an _additive modular inverse_ so real and imaginary coefficients remain in `[0 .. q-1]` . `coerce_to_int(element: Fq) -> int` is a function that takes Fq element `element` (ie. integers `mod q` ) and converts it to a regular integer.
2018-12-09 23:44:44 -05:00
2018-11-27 11:08:43 -05:00
```python
2018-12-11 14:02:34 +00:00
Fq2_order = q ** 2 - 1
eighth_roots_of_unity = [Fq2([1,1]) ** ((Fq2_order * k) // 8) for k in range(8)]
2018-11-27 11:08:43 -05:00
2019-01-28 10:28:05 -06:00
def modular_squareroot(value: Fq2) -> Fq2:
2018-12-11 14:02:34 +00:00
candidate_squareroot = value ** ((Fq2_order + 8) // 16)
2018-12-09 14:43:13 +00:00
check = candidate_squareroot ** 2 / value
2018-11-27 11:08:43 -05:00
if check in eighth_roots_of_unity[::2]:
2018-12-09 23:44:44 -05:00
x1 = candidate_squareroot / eighth_roots_of_unity[eighth_roots_of_unity.index(check) // 2]
x2 = -x1
2019-01-29 07:52:42 -06:00
x1_re, x1_im = coerce_to_int(x1.coeffs[0]), coerce_to_int(x1.coeffs[1])
x2_re, x2_im = coerce_to_int(x2.coeffs[0]), coerce_to_int(x2.coeffs[1])
return x1 if (x1_im > x2_im or (x1_im == x2_im and x1_re > x2_re)) else x2
2018-11-27 11:08:43 -05:00
return None
```
2018-12-17 08:48:06 -06:00
## Aggregation operations
2018-12-14 19:55:05 -05:00
### `bls_aggregate_pubkeys`
2019-01-17 17:29:28 +08:00
Let `bls_aggregate_pubkeys(pubkeys: List[Bytes48]) -> Bytes48` return `pubkeys[0] + .... + pubkeys[len(pubkeys)-1]` , where `+` is the elliptic curve addition operation over the G1 curve.
2018-12-14 19:55:05 -05:00
### `bls_aggregate_signatures`
2019-01-18 03:19:38 +08:00
Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `signatures[0] + .... + signatures[len(signatures)-1]` , where `+` is the elliptic curve addition operation over the G2 curve.
2018-12-14 19:55:05 -05:00
2018-12-09 14:21:34 +00:00
## Signature verification
2018-12-11 13:36:34 +00:00
In the following `e` is the pairing function and `g` is the G1 generator with the following coordinates (see [here ](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381#g1 )):
```python
g_x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
g_y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
2019-01-18 15:39:28 -06:00
g = Fq2([g_x, g_y])
2018-12-11 13:36:34 +00:00
```
2018-12-09 14:21:34 +00:00
### `bls_verify`
2019-01-18 03:19:38 +08:00
Let `bls_verify(pubkey: Bytes48, message: Bytes32, signature: Bytes96, domain: uint64) -> bool` :
2018-12-09 14:21:34 +00:00
* Verify that `pubkey` is a valid G1 point.
* Verify that `signature` is a valid G2 point.
2018-12-09 14:48:54 +00:00
* Verify that `e(pubkey, hash_to_G2(message, domain)) == e(g, signature)` .
2018-12-09 14:21:34 +00:00
### `bls_verify_multiple`
2019-01-18 03:19:38 +08:00
Let `bls_verify_multiple(pubkeys: List[Bytes48], messages: List[Bytes32], signature: Bytes96, domain: uint64) -> bool` :
2018-11-27 11:08:43 -05:00
2018-12-09 14:21:34 +00:00
* Verify that each `pubkey` in `pubkeys` is a valid G1 point.
* Verify that `signature` is a valid G2 point.
* Verify that `len(pubkeys)` equals `len(messages)` and denote the length `L` .
2018-12-09 14:43:13 +00:00
* Verify that `e(pubkeys[0], hash_to_G2(messages[0], domain)) * ... * e(pubkeys[L-1], hash_to_G2(messages[L-1], domain)) == e(g, signature)` .