Ethereum: A Comparison of BLS Signatures and Schnorr Signatures
In the realm of digital cryptography, two popular schemes have gained significant attention in recent years: BLS signatures (or other pairwise-based schemes) and Schnorr signatures. Both protocols aim to improve upon traditional public-key cryptography by leveraging new cryptographic assumptions. In this article, we will delve deeper into the comparison between these two schemes, focusing on their cryptographic assumptions and performance characteristics.
BLS Signatures
The Basic Learning Theorem (BLT) signature scheme was developed in 2011 by Lauterbach et al. [1]. BLS signatures are a type of pairwise-based signature scheme that utilizes homomorphic encryption to enable fast and secure signature verification. Here is a high-level overview of how BLS signatures work:
- A user’s private key is hashed with the public value (a hash of the signer’s identity) using a learning function.
- The resulting hash value is used as input to a commitment scheme (e.g., SHA-256).
- The commitment value is then used to derive the signature.
One of the key cryptographic assumptions underlying BLS signatures is the difficulty of the learning problem, which requires that it be computationally infeasible for a determined adversary to solve. This assumption is known as the Basic Learning Problem (BLP).
Schnorr Signatures
The Schnorr signature scheme was introduced by Kurosawa et al. [2] in 2004. Schnorr signatures are another type of pairwise-based signature scheme that uses a pairwise-based cryptographic technique called bilinear map exponentiation to achieve fast and secure signature verification.
Here’s an overview of how Schnorr signatures work:
- A user’s private key is hashed with the public value (a hash of the signer’s identity) using a learning function.
- The resulting hash value is used as input to a pairing-based cryptographic technique called bilinear map exponentiation.
- The output of this computation is then signed and verified.
One of the key cryptographic assumptions underlying Schnorr signatures is the difficulty of the discrete logarithm problem (DLP), which requires that it be computationally infeasible for a determined adversary to solve. This assumption is known as the Schnorr Discrete Logarithm Problem (SDLP).
Comparison of Cryptographic Assumptions
To understand how BLS and Schnorr signatures compare, let’s examine their cryptographic assumptions:
- BLT vs. SDLP: BLT and SDLP are examples of pairing-based cryptographic problems. While both schemes aim to solve a specific problem, they differ in the underlying mathematical structure used to solve it.
+ BLS (and other pairwise-based schemes) rely on the hardness of the BLP, which requires that it be computationally infeasible for an adversary to solve.
+ SDLPs are more general and can be solved using various techniques, including lattice-based cryptography or hash functions.
- Aggregation: When considering verification time (e.g., 100 BLS signatures aggregated non-interactively), the cryptographic assumption underlying the scheme is crucial. In general, pairwise-based schemes like BLS may require more computational resources to verify multiple signatures at once compared to Schnorr signatures.
Performance Comparison
To determine which scheme is faster for large-scale verification operations, let us consider two scenarios:
- Non-interactively aggregated BLS: Assuming a 16-bit commitment and a secure random number generator (RNG), we can estimate the computational resources required for non-interactively aggregated BLS.
- Schnorr signatures: With a fixed commitment value of 256 bits and a secure RNG, we can also estimate the computational resources required for Schnorr signatures.