draft-irtf-cfrg-bls-signature-00.txt

5 | 6 | 7 | draft-irtf-cfrg-bls-signature-00.txtStanford University

8 | USA 9 | dabo@cs.stanford.edu 10 |

11 | Stanford University

12 | USA 13 | rsw@cs.stanford.edu 14 |

15 | Algorand and University of Waterloo

16 | Boston, MA 17 | USA 18 | sergey@algorand.com 19 |

20 | Algorand and ENS, Paris

21 | Boston, MA 22 | USA 23 | wee@di.ens.fr 24 |

25 | Algorand

26 | Boston, MA 27 | USA 28 | zhenfei@algorand.com 29 |

30 | 31 | InternetCFRG 32 | BLS is a digital signature scheme with compression properties. 33 | With a given set of signatures (signature_1, ..., signature_n) anyone can produce 34 | a compressed signature signature_compressed. The same is true for a set of 35 | secret keys or public keys, while keeping the connection between sets 36 | (i.e., a compressed public key is associated to its compressed secret key). 37 | Furthermore, the BLS signature scheme is deterministic, non-malleable, 38 | and efficient. Its simplicity and cryptographic properties allows it 39 | to be useful in a variety of use-cases, specifically when minimal 40 | storage space or bandwidth are required. 41 | 42 | 43 | 44 | 45 | 46 | 47 |

48 | A signature scheme is a fundamental cryptographic primitive 49 | that is used to protect authenticity and integrity of communication. 50 | Only the holder of a secret key can sign messages, but anyone can 51 | verify the signature using the associated public key. 52 | Signature schemes are used in point-to-point secure communication 53 | protocols, PKI, remote connections, etc. 54 | Designing efficient and secure digital signature is very important 55 | for these applications. 56 | This document describes the BLS signature scheme. The scheme enjoys a variety 57 | of important efficiency properties: 58 | 59 | 60 | The public key and the signatures are encoded as single group elements. 61 | Verification requires 2 pairing operations. 62 | A collection of signatures (signature_1, ..., signature_n) can be compressed 63 | into a single signature (signature). Moreover, the compressed signature can 64 | be verified using only n+1 pairings (as opposed to 2n pairings, when verifying 65 | n signatures separately). 66 | 67 | 68 | Given the above properties, 69 | the scheme enables many interesting applications. 70 | The immediate applications include 71 | 72 | 73 | authentication and integrity for Public Key Infrastructure (PKI) and blockchains. 74 | 75 | The usage is similar to classical digital signatures, such as ECDSA. 76 | 77 | compressing signature chains for PKI and Secure Border Gateway Protocol (SBGP). 78 | 79 | Concretely, in a PKI signature chain of depth n, we have n signatures by n 80 | certificate authorities on n distinct certificates. Similarly, in SBGP, 81 | each router receives a list of n signatures attesting to a path of length n 82 | in the network. In both settings, using the BLS signature scheme would allow us 83 | to compress the n signatures into a single signature. 84 | 85 | consensus protocols for blockchains. 86 | 87 | There, BLS signatures 88 | are used for authenticating transactions as well as votes during the consensus 89 | protocol, and the use of aggregation significantly reduces the bandwidth 90 | and storage requirements. 91 | 92 | 93 | 94 | 95 |

96 | The following comparison assumes BLS signatures with curve BLS12-381, targeting 97 | 128 bits security. 98 | For 128 bits security, ECDSA takes 37 and 79 micro-seconds to sign and verify 99 | a signature on a typical laptop. In comparison, for the same level of security, 100 | BLS takes 370 and 2700 micro-seconds to sign and verify 101 | a signature. 102 | In terms of sizes, ECDSA uses 32 bytes for public keys and 64 bytes for signatures; 103 | while BLS uses 96 bytes for public keys, and 48 bytes for signatures. 104 | Alternatively, BLS can also be instantiated with 48 bytes of public keys and 96 bytes 105 | of signatures. 106 | BLS also allows for signature compression. In other words, a single signature is 107 | sufficient to anthenticate multiple messages and public keys. 108 |

109 | 110 |

124 | 125 |

126 | The following terminology is used through this document: 127 | 128 | 129 | SK: The secret key for the signature scheme. 130 | PK: The public key for the signature scheme. 131 | message: The input to be signed by the signature scheme. 132 | signature: The digital signature output. 133 | aggregation: Given a list of signatures for a list of messages and public keys, 134 | an aggregation algorithm generates one signature that authenticates the same 135 | list of messages and public keys. 136 | rogue key attack: 137 | An attack in which a specially crafted public key (the "rogue" key) is used 138 | to forge an aggregated signature. 139 | specifies methods for securing against rogue key attacks. 140 | 141 | 142 | The following notation and primitives are used: 143 | 144 | 145 | a || b denotes the concatenation of octet strings a and b. 146 | A pairing-friendly elliptic curve defines the following primitives 147 | (see for detailed discussion): 148 | 149 | E1, E2: elliptic curve groups defined over finite fields. 150 | This document assumes that E1 has a more compact representation than 151 | E2, i.e., because E1 is defined over a smaller field than E2. 152 | G1, G2: subgroups of E1 and E2 (respectively) having prime order r. 153 | P1, P2: distinguished points that generate of G1 and G2, respectively. 154 | GT: a subgroup, of prime order r, of the multiplicative group of a field extension. 155 | e : G1 x G2 -> GT: a non-degenerate bilinear map. 156 | 157 | For the above pairing-friendly curve, this document 158 | writes operations in E1 and E2 in additive notation, i.e., 159 | P + Q denotes point addition and x * P denotes scalar multiplication. 160 | Operations in GT are written in multiplicative notation, i.e., a * b 161 | is field multiplication. 162 | 163 | 164 | 165 | 166 | For each of E1 and E2 defined by the above pairing-friendly curve, 167 | we assume that the pairing-friendly elliptic curve definition provides 168 | several primitives, described below. 169 | Note that these primitives are named generically. 170 | When referring to one of these primitives for a specific group, 171 | this document appends the name of the group, e.g., 172 | point_to_octets_E1, subgroup_check_E2, etc. 173 | 174 | point_to_octets(P) -> ostr: returns the canonical representation of 175 | the point P as an octet string. 176 | This operation is also known as serialization. 177 | octets_to_point(ostr) -> P: returns the point P corresponding to the 178 | canonical representation ostr, or INVALID if ostr is not a valid output 179 | of point_to_octets. 180 | This operation is also known as deserialization. 181 | subgroup_check(P) -> VALID or INVALID: returns VALID when the point P 182 | is an element of the subgroup of order r, and INVALID otherwise. 183 | This function can always be implemented by checking that r * P is equal 184 | to the identity element. In some cases, faster checks may also exist, 185 | e.g., . 186 | 187 | I2OSP and OS2IP are the functions defined in , Section 4. 188 | hash_to_point(ostr) -> P: a cryptographic hash function that takes as input an 189 | arbitrary octet string and returns a point on an elliptic curve. 190 | Functions of this kind are defined in . 191 | Each of the ciphersuites in specifies the hash_to_point 192 | algorithm to be used. 193 | 194 | 195 |

196 | 197 |

198 | The BLS signature scheme defines the following API: 199 | 200 | 201 | KeyGen(IKM) -> PK, SK: a key generation algorithm that 202 | takes as input an octet string comprising secret keying material, 203 | and outputs a public key PK and corresponding secret key SK. 204 | Sign(SK, message) -> signature: a signing algorithm that generates a 205 | deterministic signature given a secret key SK and a message. 206 | Verify(PK, message, signature) -> VALID or INVALID: 207 | a verification algorithm that outputs VALID if signature is a valid 208 | signature of message under public key PK, and INVALID otherwise. 209 | Aggregate(signature_1, ..., signature_n) -> signature: 210 | an aggregation algorithm that compresses a collection of signatures 211 | into a single signature. 212 | AggregateVerify((PK_1, message_1), ..., (PK_n, message_n), signature) -> VALID or INVALID: 213 | an aggregate verification algorithm that outputs VALID if signature 214 | is a valid aggregated signature for a collection of public keys and messages, 215 | and outputs INVALID otherwise. 216 | 217 | 218 |

219 | 220 |

221 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 222 | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 223 | document are to be interpreted as described in . 224 |

225 |

226 | 227 |

228 | This section defines core operations used by the schemes defined in . 229 | These operations MUST NOT be used except as described in that section. 230 | 231 |

247 | 248 |

323 | 324 |

325 | The KeyGen algorithm generates a pair (PK, SK) deterministically using 326 | the secret octet string IKM. 327 | KeyGen uses HKDF instantiated with the hash function H. 328 | For security, IKM MUST be infeasible to guess, e.g., 329 | generated by a trusted source of randomness. 330 | IKM MUST be at least 32 bytes long, but it MAY be longer. 331 | Because KeyGen is deterministic, implementations MAY choose either to 332 | store the resulting (PK, SK) or to store IKM and call KeyGen to derive 333 | the keys when necessary. 334 | 335 |

362 | 363 |

364 | The KeyValidate algorithm ensures that a public key is valid. 365 | 366 |

382 | 383 |

384 | The CoreSign algorithm computes a signature from SK, a secret key, 385 | and message, an octet string. 386 | 387 |

404 | 405 |

432 | 433 |

434 | The Aggregate algorithm compresses multiple signatures into one. 435 | 436 |

458 | 459 |

460 | The CoreAggregateVerify algorithm checks an aggregated signature 461 | over several (PK, message) pairs. 462 | All public keys PK_i must satisfy KeyValidate(PK_i) == VALID 463 | (). 464 | 465 |

490 |

491 | 492 |

507 | In a basic scheme, rogue key attacks are handled by requiring 508 | all messages signed by an aggregate signature to be distinct. 509 | This requirement is enforced in the definition of AggregateVerify. 510 | The Sign and Verify functions are identical to CoreSign and 511 | CoreVerify (), respectively. 512 | AggregateVerify is defined below. 513 | All public keys PK supplied as arguments to Verify and AggregateVerify 514 | MUST satisfy KeyValidate(PK) == VALID (). 515 | 516 |

517 | This function first ensures that all messages are distinct, and then 518 | invokes CoreAggregateVerify. 519 | 520 |

538 |

539 | 540 |

signature = Sign(SK, message) 557 | 558 | Inputs: 559 | - SK, a secret key output by an invocation of KeyGen. 560 | - message, an octet string. 561 | 562 | Outputs: 563 | - signature, an octet string. 564 | 565 | Procedure: 566 | 1. xP = SK * P 567 | 2. PK = point_to_pubkey(xP) 568 | 3. return CoreSign(SK, PK || message) 569 | 570 | 571 |

572 | 573 |

574 | 575 |

result = Verify(PK, message, signature) 576 | 577 | Inputs: 578 | - PK, a public key in the format output by KeyGen. 579 | - message, an octet string. 580 | - signature, an octet string in the format output by CoreSign. 581 | 582 | Outputs: 583 | - result, either VALID or INVALID. 584 | 585 | Procedure: 586 | 1. return CoreVerify(PK, PK || message, signature) 587 | 588 | 589 |

590 | 591 |

592 | 593 |

result = AggregateVerify((PK_1, message_1), ..., (PK_n, message_n), 594 | signature) 595 | 596 | Inputs: 597 | - PK_1, ..., PK_n, public keys in the format output by KeyGen. 598 | - message_1, ..., message_n, octet strings. 599 | - signature, an octet string output by Aggregate. 600 | 601 | Outputs: 602 | - result, either VALID or INVALID. 603 | 604 | Procedure: 605 | 1. for i in 1, ..., n: 606 | 2. mprime_i = PK_i || message_i 607 | 3. return CoreAggregateVerify((PK_1, mprime_1), ..., (PK_n, mprime_n), 608 | signature) 609 | 610 | 611 |

612 |

613 | 614 |

615 | A proof of possession scheme uses a separate public key 616 | validation step, called a proof of possession, to defend against 617 | rogue key attacks. 618 | This enables an optimization to aggregate signature verification 619 | for the case that all signatures are on the same message. 620 | The Sign, Verify, and AggregateVerify functions 621 | are identical to CoreSign, CoreVerify, and CoreAggregateVerify 622 | (), respectively. 623 | In addition, a proof of possession scheme defines three functions beyond 624 | the standard API (): 625 | 626 | 627 | PopProve(SK) -> proof: an algorithm that generates a proof of possession 628 | for the public key corresponding to secret key SK. 629 | PopVerify(PK, proof) -> VALID or INVALID: 630 | an algorithm that outputs VALID if proof is valid for PK, and INVALID otherwise. 631 | FastAggregateVerify(PK_1, ..., PK_n, message, signature) -> VALID or INVALID: 632 | a verification algorithm for the aggregate of multiple signatures on 633 | the same message. 634 | This function is faster than AggregateVerify. 635 | 636 | 637 | All public keys used by Verify, AggregateVerify, and FastAggregateVerify 638 | MUST be accompanied by a proof of possession generated by PopProve, 639 | and the result of PopVerify on this proof MUST be VALID. 640 | 641 |

642 | In addition to the parameters required to instantiate the core operations 643 | (), a proof of possession scheme requires one further parameter: 644 | 645 | 646 | hash_pubkey_to_point(PK) -> P: a cryptographic hash function that takes as 647 | input a public key and outputs a point in the same subgroup as the 648 | hash_to_point algorithm used to instantiate the core operations. 649 | For security, this function MUST be orthogonal to the hash_to_point function. 650 | In addition, this function MUST be either a random oracle encoding or a 651 | nonuniform encoding, as defined in . 652 | The RECOMMENDED way of instantiating hash_pubkey_to_point is to use 653 | the same hash-to-curve function as hash_to_point, with a 654 | different domain separation tag (see , Section 5.1). 655 | 656 | 657 |

658 | 659 |

685 | 686 |

687 | Note that the following uses several functions defined in . 688 | The hash_pubkey_to_point function is defined in . 689 | 690 |

712 | 713 |

714 | Note that the following uses several functions defined in . 715 | 716 |

736 |

737 |

738 | 739 |

745 | A ciphersuite specifies all parameters from , 746 | a scheme from , and any parameters the scheme requires. 747 | In particular, a ciphersuite comprises: 748 | 749 | 750 | ID: the ciphersuite ID, an ASCII string. The RECOMMENDED format for 751 | this string is 752 | "BLS_SIG_" || H2C_SUITE || "_" || SC_TAG || "_" 753 | 754 | strings in double quotes are literal ASCII octet sequences 755 | H2C_SUITE is the name of the hash-to-curve ciphersuite 756 | used to define the hash_to_point and hash_pubkey_to_point 757 | functions. 758 | SC_TAG SHOULD be "NUL" when SC is basic, 759 | "AUG" when SC is message-augmentation, or 760 | "POP" when SC is proof-of-possession. 761 | 762 | SC: the scheme, either basic, message-augmentation, or proof-of-possession. 763 | SV: the signature variant, either minimal-signature-size or 764 | minimal-pubkey-size. 765 | EC: a pairing-friendly elliptic curve, plus all associated functionality 766 | (). 767 | H: a cryptographic hash function. 768 | hash_to_point: a hash from arbitrary strings to elliptic curve points. 769 | It is RECOMMENDED that hash_to_point be defined in terms of a 770 | hash-to-curve suite with domain separation tag equal 771 | to the ID string. 772 | hash_pubkey_to_point (only specified when SC is proof-of-possession): 773 | a hash from serialized public keys to elliptic curve points. 774 | It is RECOMMENDED that hash_pubkey_to_point be defined in terms of a 775 | has-to-curve suite , with domain separation tag 776 | constructed similarly to the ID string, namely: 777 | "BLS_POP_" || H2C_SUITE || "_" || SC_TAG || "_" 778 | 779 | 780 |

781 | 782 |

783 | The following ciphersuites are all built on the BLS12-381 elliptic curve. 784 | The required primitives for this curve are given in . 785 | These ciphersuites use the hash-to-curve suites BLS12381G1-SHA256-SSWU-RO- 786 | and BLS12381G2-SHA256-SSWU-RO- defined in . 787 | Each ciphersuite defines a unique hash_to_point function by specifying 788 | a domain separation tag (see [@I-D.irtf-cfrg-hash-to-curve, Section 5.1). 789 | 790 |

791 | The ciphersuite with ID 792 | BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_NUL_ 793 | uses the following parameters, in addition to the common parameters below. 794 | 795 | 796 | SV: minimal-signature-size 797 | hash_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag 798 | BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_NUL_ 799 | 800 | 801 | The ciphersuite with ID 802 | BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_ 803 | uses the following parameters, in addition to the common parameters below. 804 | 805 | 806 | SV: minimal-pubkey-size 807 | hash_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag 808 | BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_ 809 | 810 | 811 | The above ciphersuites share the following common parameters: 812 | 813 | 814 | SC: basic 815 | EC: BLS12-381, as defined in . 816 | H: SHA-256 817 | 818 | 819 |

820 | 821 |

822 | The ciphersuite with ID 823 | BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_AUG_ 824 | uses the following parameters, in addition to the common parameters below. 825 | 826 | 827 | SV: minimal-signature-size 828 | hash_to_point: BLS12381G1-SHA256-SSWU-RO- with the ASCII domain separation tag 829 | BLS_SIG_BLS12381G1-SHA256-SSWU-RO-_AUG_ 830 | 831 | 832 | The ciphersuite with ID 833 | BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_AUG_ 834 | uses the following parameters, in addition to the common parameters below. 835 | 836 | 837 | SV: minimal-pubkey-size 838 | hash_to_point: BLS12381G2-SHA256-SSWU-RO- with the ASCII domain separation tag 839 | BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_AUG_ 840 | 841 | 842 | The above ciphersuites share the following common parameters: 843 | 844 | 845 | SC: message-augmentation 846 | EC: BLS12-381, as defined in . 847 | H: SHA-256 848 | 849 | 850 |

851 | 852 |

886 |

887 |

888 | 889 |

890 | 891 |

892 | All algorithms in and that operate on public keys 893 | require first validating these keys. 894 | For the basic and message augmentation schemes, the use of KeyValidate 895 | is REQUIRED. 896 | For the proof of possession scheme, each public key MUST be accompanied by 897 | a proof of possession, and use of PopVerify is REQUIRED. 898 | Note that implementations MAY cache validation results for public keys 899 | in order to avoid unnecessarily repeating validation for known keys. 900 |

901 | 902 |

903 | Some existing implementations skip the signature_subgroup_check invocation 904 | in CoreVerify (), whose purpose is ensuring that the signature 905 | is an element of a prime-order subgroup. 906 | This check is REQUIRED of conforming implementations, for two reasons. 907 | 908 | 909 | For most pairing-friendly elliptic curves used in practice, the pairing 910 | operation e () is undefined when its input points are not 911 | in the prime-order subgroups of E1 and E2. 912 | The resulting behavior is unpredictable, and may enable forgeries. 913 | Even if the pairing operation behaves properly on inputs that are outside 914 | the correct subgroups, skipping the subgroup check breaks the strong 915 | unforgeability property. 916 | 917 | 918 |

919 | 920 |

921 | Implementations of the signing algorithm SHOULD protect the secret key 922 | from side-channel attacks. 923 | One method for protecting against certain side-channel attacks is ensuring 924 | that the implementation executes exactly the same sequence of 925 | instructions and performs exactly the same memory accesses, for any 926 | value of the secret key. 927 | In other words, implementations on the underlying pairing-friendly elliptic 928 | curve SHOULD run in constant time. 929 |

930 | 931 |

932 | BLS signatures are deterministic. This protects against attacks 933 | arising from signing with bad randomness, for example, the nonce reuse 934 | attack on ECDSA . 935 | As discussed in , the IKM input to KeyGen MUST be infeasible 936 | to guess and MUST be kept secret. 937 | One possibility is to generate IKM from a trusted source of randomness. 938 | Guidelines on constructing such a source are outside the scope of this 939 | document. 940 |

941 | 942 |

943 | The security analysis models hash_to_point and hash_pubkey_to_point 944 | as random oracles. 945 | It is crucial that these functions are implemented using a cryptographically 946 | secure hash function. 947 | For this purpose, implementations MUST meet the requirements of 948 | . 949 | In addition, ciphersuites MUST specify unique domain separation tags 950 | for hash_to_point and hash_pubkey_to_point. 951 | The domain separation tag format used in is the RECOMMENDED one. 952 |

953 |

954 | 955 |

956 | This section will be removed in the final version of the draft. 957 | There are currently several implementations of BLS signatures using the BLS12-381 curve. 958 | 959 | 960 | Algorand: bls_sigs_ref 961 | Chia: spec 962 | python/C++. Here, they are 963 | swapping G1 and G2 so that the public keys are small, and the benefits 964 | of avoiding a membership check during signature verification would even be more 965 | substantial. The current implementation does not seem to implement the membership check. 966 | Chia uses the Fouque-Tibouchi hashing to the curve, which can be done in constant time. 967 | Dfinity: go BLS. The current implementations do not seem to implement the membership check. 968 | Ethereum 2.0: spec 969 | 970 | 971 |

972 | 973 |

974 | 975 | 976 | Pairing-friendly curves draft-yonezawa-pairing-friendly-curves 977 | Pairing-based Identity-Based Encryption IEEE 1363.3. 978 | Identity-Based Cryptography Standard rfc5901. 979 | Hashing to Elliptic Curves draft-irtf-cfrg-hash-to-curve-04, in order to implement the hash function hash_to_point. 980 | EdDSA rfc8032 981 | 982 | 983 |

984 | 985 |

986 | TBD (consider to register ciphersuite identifiers for BLS signature and underlying 987 | pairing curves) 988 |

989 | 990 | 991 | 992 | 993 | 994 | 995 | 996 | 997 | BLS12-381 998 | 999 | Electric Coin Company 1000 | 1001 | 1002 | 1003 | 1004 | 1005 | 1006 | 1007 | 1008 | Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme 1009 | 1010 | University of California, San Diego 1011 | 1012 | 1013 | 1014 | 1015 | 1016 | 1017 | Compact multi-signatures for shorter blockchains 1018 | 1019 | Stanford University 1020 | 1021 | 1022 | DFINITY 1023 | 1024 | 1025 | ETH Zurich 1026 | 1027 | 1028 | 1029 | 1030 | 1031 | 1032 | Faster subgroup checks for BLS12-381 1033 | 1034 | Electric Coin Company 1035 | 1036 | 1037 | 1038 | 1039 | 1040 | 1041 | 1042 | 1043 | FIPS Publication 180-4: Secure Hash Standard 1044 | 1045 | National Institute of Standards and Technology (NIST) 1046 | 1047 | 1048 | 1049 | 1050 | 1051 | 1052 | Unrestricted aggregate signatures 1053 | 1054 | University of California, San Diego 1055 | 1056 | 1057 | Thammasat University 1058 | 1059 | 1060 | Katholieke Universiteit Leuven 1061 | 1062 | 1063 | 1064 | 1065 | 1066 | 1067 | Sequential Aggregate Signatures and Multisignatures Without Random Oracles 1068 | 1069 | University of California, Los Angeles 1070 | 1071 | 1072 | University of California, Los Angeles 1073 | 1074 | 1075 | University of California, Los Angeles 1076 | 1077 | 1078 | Weizmann Institute 1079 | 1080 | 1081 | SRI International 1082 | 1083 | 1084 | 1085 | 1086 | 1087 | 1088 | 1089 | Mining your Ps and Qs: Detection of widespread weak keys in network devices 1090 | 1091 | University of California, San Diego 1092 | 1093 | 1094 | The University of Michigan 1095 | 1096 | 1097 | The University of Michigan 1098 | 1099 | 1100 | The University of Michigan 1101 | 1102 | 1103 | 1104 | 1105 | 1106 | 1107 | Short signatures from the Weil pairing 1108 | 1109 | Stanford University 1110 | 1111 | 1112 | Stanford University 1113 | 1114 | 1115 | Stanford University 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | Aggregate and verifiably encrypted signatures from bilinear maps 1123 | 1124 | Stanford University 1125 | 1126 | 1127 | Stanford University 1128 | 1129 | 1130 | Stanford University 1131 | 1132 | 1133 | Stanford University 1134 | 1135 | 1136 | 1137 | 1138 | 1139 | 1140 | The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks 1141 | 1142 | University of California, San Diego 1143 | 1144 | 1145 | University of California, San Diego 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | 1153 |

1175 | 1176 |

1177 | TBA: (i) test vectors for both variants of the signature scheme 1178 | (signatures in G2 instead of G1) , (ii) test vectors ensuring 1179 | membership checks, (iii) intermediate computations ctr, hm. 1180 |

1181 | 1182 |

1183 | The security properties of the BLS signature scheme are proved in . 1184 | prove the security of aggregate signatures over distinct messages, 1185 | as in the basic scheme of . 1186 | prove security of the message augmentation scheme of . 1187 | prove security of constructions related to the proof 1188 | of possession scheme of . 1189 | prove the security of another rogue key defense; this 1190 | defense is not standardized in this document. 1191 |

1192 | 1193 | 1194 | 1195 |