BLS Signatures and Aggregate Signature Schemes
Explore BLS12-381 pairings, signature aggregation, and how Ethereum 2.0 uses BLS to reduce validator overhead.
Bilinear Pairings: The Mathematical Foundation
BLS signatures rely on bilinear pairings — a mathematical operation on elliptic curves. A pairing e: G1 x G2 -> GT maps pairs of points from two groups (G1, G2) to a target group GT. The critical property is bilinearity: e(aP, bQ) = e(P, Q)^(ab) for scalars a, b and points P, Q. This allows checking relationships between group elements without knowing the discrete logarithms. The most used pairing curve for cryptography is BLS12-381, chosen for its 128-bit security level, small group element sizes (48 bytes in G1, 96 bytes in G2), and efficient pairing computation.
BLS Signature Construction
A BLS (Boneh-Lynn-Shacham) signature works as follows. Key generation: private key x is a random scalar; public key PK = x * G where G is the G2 generator. Signing: given message m, compute H = hash-to-curve(m) in G1, then sigma = x * H. The signature sigma is a single G1 point (48 bytes on BLS12-381). Verification: check e(sigma, G) == e(H, PK). By bilinearity, e(x*H, G) = e(H, G)^x = e(H, x*G) = e(H, PK). Security relies on the co-CDH assumption: computing x*H given H and x*G is hard without knowing x.
All lessons in this course
- Proof-of-Stake Cryptographic Mechanisms
- BFT Protocols: PBFT and Tendermint
- Verifiable Random Functions in Consensus
- BLS Signatures and Aggregate Signature Schemes