Re: [Cfrg] BLS standard draft

赵运磊 <> Wed, 13 February 2019 07:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F0DF12D4E6 for <>; Tue, 12 Feb 2019 23:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.92
X-Spam-Status: No, score=-0.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8359n30ym5C4 for <>; Tue, 12 Feb 2019 23:33:09 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 66E31128CB7 for <>; Tue, 12 Feb 2019 23:33:08 -0800 (PST)
Received: by ajax-webmail-app2 (Coremail) ; Wed, 13 Feb 2019 15:32:59 +0800 (GMT+08:00)
X-Originating-IP: []
Date: Wed, 13 Feb 2019 15:32:59 +0800
X-CM-HeaderCharset: UTF-8
From: 赵运磊 <>
To: Eric Rescorla <>
Cc: Tony Arcieri <>, CFRG <>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT3.0.8 dev build 20160401(82936.8581) Copyright (c) 2002-2019 fudan
In-Reply-To: <>
References: <> <> <> <> <>
X-SendMailWithSms: false
Content-Type: multipart/alternative; boundary="----=_Part_345930_1967227000.1550043179652"
MIME-Version: 1.0
Message-ID: <>
X-Coremail-Locale: zh_CN
X-CM-SenderInfo: x1o2xtnr6i3vldqovvfxof0/1tbiAQcAB1Kp4KWOgAAAsx
X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU=
Archived-At: <>
Subject: Re: [Cfrg] BLS standard draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Feb 2019 07:33:12 -0000

For existing applicaitons like blockchain and cryptosystems, aggregate signature is indeed highly desirable. BLS is based on bilinear maps, and an aggregate signature from the general elliptic curves without using pairings may also be desirable (particularly for blockchain). 

Andy Yao and I designed a signature scheme, named Gamma-signature, and we recently shew that Gamma-signature well supports signature aggregation. For more details and comparisons with BLS, please refer to

We wonder whether it is possible to document in CFRG. Any comments are appreciated.

All my best
Fudan University, Shanghai, China

发件人:"Eric Rescorla" <>
发送时间:2019-02-13 13:19:03 (星期三)
收件人: "Tony Arcieri" <>
抄送: CFRG <>
主题: Re: [Cfrg] BLS standard draft

FWIW, I have more than once wanted a scheme with the properties of BLS. I'm not an expert in this area, but assuming that BLS is still the state of the art here, it seems like it would be useful to document it in CFRG.


On Mon, Feb 11, 2019 at 6:57 AM Tony Arcieri <> wrote:

On Mon, Feb 11, 2019 at 3:52 AM Michael Scott <> wrote:
1) Pairing-based crypto threw open the doors to lots of nice new crypto possibilities, enabling stuff that we couldn't do before
2) Gradually post-quantum crypto is catching up and demonstrating capabilities that mirror some (but not all) of these achievements

I'd agree with this: it is great people are working on post-quantum cryptography, but I do not view the threat as particular urgent (i.e. 10+ years away, if ever), and therefore think it makes sense to continue to work on pre-quantum and post-quantum schemes in parallel.

Furthermore I'd like to add that pairings-based signature schemes like this have somewhat unique and highly useful properties around offline signature aggregation and small signature sizes. At least to my knowledge, there is no post-quantum secure equivalent of bilinear pairings (perhaps I'm mistaken?), so if we focus exclusively on post-quantum schemes we leave all of these benefits on the table, even in the event large QCs capable of attacking this class of elliptic curve prove to be intractable.


Tony Arcieri

Cfrg mailing list