4.7 KiB
BLS signature verification
Warning: This document is pending academic review and should not yet be considered secure.
Table of contents
Curve parameters
The BLS12-381 curve parameters are defined here.
Point representations
We represent points in the groups G1 and G2 following zkcrypto/pairing. We denote by q the field modulus and by i the imaginary unit.
G1 points
A point in G1 is represented as a 384-bit integer z decomposed as a 381-bit integer x and three 1-bit flags in the top bits:
x = z % 2**381a_flag = (z % 2**382) // 2**381b_flag = (z % 2**383) // 2**382c_flag = (z % 2**384) // 2**383
Respecting bit ordering, z is decomposed as (c_flag, b_flag, a_flag, x).
We require:
x < qc_flag == 1- if
b_flag == 1thena_flag == x == 0andzrepresents the point at infinity - if
b_flag == 0thenzrepresents the point(x, y)whereyis the valid coordinate such that(y * 2) // q == a_flag
G2 points
A point in G2 is represented as a pair of 384-bit integers (z1, z2). We decompose z1 as above into x1, a_flag1, b_flag1, c_flag1 and z2 into x2, a_flag2, b_flag2, c_flag2.
We require:
x1 < qandx2 < qa_flag2 == b_flag2 == c_flag2 == 0c_flag1 == 1- if
b_flag1 == 1thena_flag1 == x1 == x2 == 0and(z1, z2)represents the point at infinity - if
b_flag1 == 0then(z1, z2)represents the point(x1 * i + x2, y)whereyis the valid coordinate such that the imaginary party_imofysatisfies(y_im * 2) // q == a_flag1
Helpers
hash_to_G2
G2_cofactor = 305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109
q = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
def hash_to_G2(message, domain):
x1 = int.from_bytes(hash(bytes8(domain) + b'\x01' + message), 'big')
x2 = int.from_bytes(hash(bytes8(domain) + b'\x02' + message), 'big')
x_coordinate = FQ2([x1, x2]) # x1 + x2 * i
while 1:
x_cubed_plus_b2 = x_coordinate ** 3 + FQ2([4, 4])
y_coordinate = modular_squareroot(x_cubed_plus_b2)
if y_coordinate is not None:
break
x_coordinate += FQ2([1, 0]) # Add one until we get a quadratic residue
assert is_on_G2((x_coordinate, y_coordinate))
return multiply_in_G2((x_coordinate, y_coordinate), G2_cofactor)
modular_squareroot
modular_squareroot(x) returns a solution y to y**2 % q == x, and None if none exists. If there are two solutions the one with higher imaginary component is favored; if both solutions have equal imaginary component the one with higher real component is favored.
qmod = q ** 2 - 1
eighth_roots_of_unity = [FQ2([1,1]) ** ((qmod * k) // 8) for k in range(8)]
def modular_squareroot(value):
candidate_squareroot = value ** ((qmod + 8) // 16)
check = candidate_squareroot ** 2 / value
if check in eighth_roots_of_unity[::2]:
x1 = candidate_squareroot / eighth_roots_of_unity[eighth_roots_of_unity.index(check) // 2]
x2 = -x1
return x1 if (x1.coeffs[1].n, x1.coeffs[0].n) > (x2.coeffs[1].n, x2.coeffs[0].n) else x2
return None
Signature verification
In the following e is the pairing function and g is the generator in G1.
bls_verify
Let bls_verify(pubkey: uint384, message: bytes32, signature: [uint384], domain: uint64) -> bool:
- Verify that
pubkeyis a valid G1 point. - Verify that
signatureis a valid G2 point. - Verify that
e(pubkey, hash_to_G2(message, domain)) == e(g, signature).
bls_verify_multiple
Let bls_verify_multiple(pubkeys: [uint384], messages: [bytes32], signature: [uint384], domain: uint64) -> bool:
- Verify that each
pubkeyinpubkeysis a valid G1 point. - Verify that
signatureis a valid G2 point. - Verify that
len(pubkeys)equalslen(messages)and denote the lengthL. - Verify that
e(pubkeys[0], hash_to_G2(messages[0], domain)) * ... * e(pubkeys[L-1], hash_to_G2(messages[L-1], domain)) == e(g, signature).