2

Studying the bls signatures, I am wondering how in practice should we handle the parameter G.

In many signatures scheme, the generator used is a well known constant, for example eddsa with ed25519 has a well known fixed generator g. However, in the bls example from the C source code of the pbc library of Dan Boneh they generate a random G. In the literature they suppose the G is known by all parties. In jPBC sources , they save that system parameter G to a file.

Is there not a well defined constant G somewhere so client / signers don't have to exchange that value?

If I were to deploy a bls signature system, how would I chose this G? There does not seem to be any constraint over this system parameters since it's taken at random.

Do I include it in the signature and generate a new one for each signature? (providing more randomness at the expense of a bigger size?) or should I generate one element at random and call it G and make it public? Or save to a file and maybe have multiple files for different recipients ?

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
Nikkolasg
  • 204
  • 1
  • 7
  • 1
    The only requirement is that G must be known to all parties. How exactly you implement that doesn't really matter. – fkraiem Oct 09 '16 at 20:31
  • Ok then I guess I should have directed my question more like: Is there a constant somewhere specifying what is a good base to take as a base point for generating BLS priv/pub key & signatures ? Such as ed25519 base point (stack question https://crypto.stackexchange.com/questions/27392/base-point-in-ed25519) – Nikkolasg Oct 10 '16 at 19:01

0 Answers0