Hi Dfinity Team, are there some applications on IC about the bls signature code here?:
Hi there! I am not sure if you are asking something specific about that commit or generally about BLS signatures. Note that the crate being updated in that commit implements the BLS12_381 curve, not BLS signatures. However there are many uses of BLS signatures on the internet computer, such as:
- Multi BLS signatures are used by the nodes to notarize and finalize blocks.
- Threshold BLS signatures are used to certify information on the internet computer, as well as to generate the random beacon (used to select block proposers) and the random tape (used to derive randomness exposed to canisters)
Thanks, andrea, that’s what I want to know about. And another question is:
What are the advantages of using BLS signatures for the two points that you listed here?
The main advantage of multi-signatures is that the combined signature is more compact to store/transfer than several individual signatures. BLS multi-signatures are also easy to generate as the signing protocol is non-interactive: i.e. every party individually signs a share and announces it to the other parties, the shares can then be publicly combined into a multi-signature.
Threshold BLS signatures are unique signatures, which means that for each message there is only one possible valid signature. It is well known that unique signature schemes can be used to construct verifiable random functions (VRF): these are pseudorandom functions for which it is possible to create proofs for the correctness of the outputs. This is what the IC uses to generate the random beacon and the random tape.
A crucial difference between multi and threshold BLS is that to verify a combined multi-signature you need to know all the public keys of the signers, while to verify a combined threshold signature you only need to know a single key (which is generated via distributed key generation protocol). This is the reason why for certification the IC uses threshold signatures: any content certified by the IC can be verified using a single root public key, so that users don’t have to keep track of all the public keys of the nodes on the IC.