In cryptography, the **Boneh–Lynn–Shacham** signature scheme allows a user to verify that a signer is *authentic*. The scheme uses a pairing function for verification and signatures are group elements in some elliptic curve. Working in an elliptic curve provides defense against index calculus attacks against allowing shorter signatures than FDH signatures. Signatures are often referred to as *short signatures*, *BLS short signatures*, or simply *BLS signatures*. The signature scheme is provably secure (that is, the scheme is existentially unforgeable under adaptive chosen-message attacks) assuming both the existence of random oracles and the intractability of the computational Diffie–Hellman problem.
^{[1]}

## Contents

## Pairing functions[edit | edit source]

A gap group is a group in which the computational Diffie–Hellman problem is intractable but the decisional Diffie–Hellman problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairing functions permit such groups.

Let be a non-degenerate, efficiently computable, bilinear pairing function where , are groups of prime order, . Let be a generator of . Consider an instance of the CDH problem, ,, . Intuitively, the pairing function does not help us compute , the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given , we may check to see if without knowledge of , , and , by testing whether holds.

By using the bilinear property times, we see that if , then since is a prime order group, .

## The scheme[edit | edit source]

A signature scheme consists of three functions, *generate*, *sign*, and *verify*

### Key generation[edit | edit source]

The key generation algorithm selects a random integer in the interval [0, *r* − 1]. The private key is . The holder of the private key publishes the public key, .

### Signing[edit | edit source]

Given the private key , and some message , we compute the signature by hashing the bitstring , as . We output the signature .

### Verification[edit | edit source]

Given a signature and a public key , we verify that .