Cryptography
Advanced ECC
Ethereum 2.0 has 500,000+ validators each signing messages every epoch. Without BLS signature aggregation, verifying each block would require half a million ECDSA verifications. BLS aggregation compresses all these signatures into one, making the consensus protocol feasible at scale. Bilinear pairings - once purely academic - are now running in production on one of the largest blockchains.
- **Ethereum 2.0 beacon chain**: BLS12-381 aggregates 500,000+ validator attestations per epoch into a handful of aggregate signatures. Core to Ethereum proof-of-stake.
- **Ethereum zkSNARKs**: EIP-196/197 expose BN254 pairing precompile for Groth16 proof verification. Used by zkRollups (zkSync, Polygon zkEVM).
- **Cloudflare time-lock encryption**: IBE with future timestamps as identities. Data encrypted for "reveal at date X" without a key escrow database.
- **Healthcare ABE pilots**: encrypted patient records with CP-ABE policies (doctor AND hospital) - record travels with its own access control policy.
Bilinear Pairings: A New Curve Operation
A bilinear pairing e: G1 x G2 -> GT maps pairs of curve points to elements of a multiplicative group GT. The bilinearity property e(aP, bQ) = e(P,Q)^(ab) enables cryptographic constructions impossible with standard ECC, including 3-party non-interactive key agreement and identity-based encryption.
Ethereum uses BN254 pairings in EIP-196/197 for zkSNARK verification in smart contracts. BLS12-381 is used in Ethereum 2.0 beacon chain for BLS signature aggregation across 500,000+ validators.
What sets bilinear pairings apart from standard elliptic curve operations?
BLS Signatures: Aggregating Millions of Signatures
BLS signatures (Boneh-Lynn-Shacham, 2001) use bilinear pairings to aggregate multiple signatures into one. n signatures on n different messages can be combined into a single 48-byte signature, with verification requiring n+1 pairings. This is critical for Ethereum 2.0 with 500,000+ validators.
Ethereum 2.0 beacon chain: 500,000+ validators each sign an attestation every epoch. BLS aggregation reduces these to a few dozen aggregate signatures per block, cutting verification cost by 99%+.
How does BLS signature aggregation benefit Ethereum 2.0 with 500,000 validators?
Identity-Based Encryption
Identity-Based Encryption (IBE, Boneh-Franklin 2001) allows encrypting to an arbitrary identity string (email, phone number) without pre-distributing a public key. A trusted Private Key Generator (PKG) derives private keys from identities using a master secret and bilinear pairings.
IBE solves key distribution for email encryption: users encrypt to alice@company.com without needing Alice's public key certificate. Cloudflare used IBE for Time-Lock Encryption (releasing decryption keys at future timestamps). Microsoft deployed IBE for encrypted email in Exchange.
What trusted party does IBE require that traditional PKI eliminates?
Attribute-Based Encryption
Attribute-Based Encryption (ABE) extends IBE: decryption is possible only if the decryptor's attributes satisfy a policy embedded in the ciphertext. This enables fine-grained access control without a key server: "decrypt only if (role=doctor AND hospital=Stanford) OR role=admin".
Google uses ABE internally for access control policies in encrypted storage. Healthcare cloud providers use CP-ABE for HIPAA-compliant record sharing. ABE allows data to travel with its access policy, enforceable cryptographically without a key server.
What advantage does Attribute-Based Encryption have over traditional encryption with an access control list?
Summary
- **Bilinear pairings**: e(aP, bQ) = e(P,Q)^(ab). Enables IBE, BLS, zkSNARKs. ~100x slower than ECDH but enables impossible-otherwise constructions.
- **BLS signatures**: 48-byte aggregatable signatures. n signatures compress to 1. Critical for Ethereum 2.0 validator attestation efficiency.
- **Identity-Based Encryption**: encrypt to email/identity without pre-distributed public key. Requires a trusted PKG (key escrow by design).
- **Attribute-Based Encryption**: policy in ciphertext, attributes in key. Cryptographically enforced access control without a central key server.
Related Topics
Advanced ECC uses pairings to unlock a new class of cryptographic constructions:
- Digital Signatures — BLS is an advanced signature scheme; Schnorr aggregation achieves similar goals without pairings for specific cases.
- ZK-SNARKs — Groth16 and PLONK use BN254 and BLS12-381 pairings for proof verification.
- Secret Sharing — Threshold BLS signatures combine BLS aggregation with secret sharing for distributed signing without a private key assembly.
Вопросы для размышления
- The BN254 pairing precompile in Ethereum costs 45,000 gas. How does this limit which zkSNARK constructions are practical on-chain?
- IBE requires a trusted PKG that can derive any user private key. How does this compare to the trust model of a traditional Certificate Authority?
- CP-ABE embeds the access policy in the ciphertext. What happens when a policy needs to be updated for already-encrypted data?