Technical Background

In B2 Sidechain, all transactions are being signed by the ECDSA signature algorithm which is described in following subsection. The raw transaction is first digested by the hash function (Keccak), and then the hash value is signed by the sender’s private key through ECDSA. The current version of Parlia consensus does not provide fast finality because one validator produces a block, and to make sure of the correctness of these operations, one has to wait for the long confirmation time, usually it is
2/3N+12/3*N+1
where
NN
enotes the active validators. Aggregated signature mechanism with Parlia’s fast-finality can solve this problem because one can collect and convert many signatures into one aggregated signature and send only this aggregated signature to the chain. For the aggregated signature, some special elliptic curves such as BLS12381 or BN256 will be used.

Cryptographic Hash functions

A cryptographic hash function
H:{0,1}{0,1}kH: \{0,1\}^* \rightarrow \{0,1\}^k
takes an arbitrary-length message and outputs a fixed-length output. A hash function has the following basic properties:
· Deterministic: Given
mm
, we always have
x=H(m)x=H(m)
(the same input
mm
always results in the same output
xx
).
· Efficient: it is very fast to compute the hash value for any given message.
· Pre-image resistance (one-wayness): For essentially all pre-specified outputs, it is computationally infeasible to find any input which hashed to that output.
· Second pre-image resistance It is computationally infeasible to find a second message that produces the same hash value.
· Collision resistant: It is also hard to find two arbitrary inputs
xx
and
yy
that hash to the same value, i.e.,
H(x)=H(y)H(x)=H(y)
.

Digital Signatures: ECDSA Signing Algorithm

Let’s assume that
nn
is order point,
PP
and
QQ
are two points on an elliptic curve, and
GG
is a base point. The ECDSA signature algorithm can be described as follows:
Key generation:
1. Select a random number
dd
in the interval
[1,n1][ 1,n-1]
.
2. Compute
Q=dGQ=dG
3. Public key is
QQ
, private key is
dd
.
Signature generation:
1. Select a random integer
kk
,
1kn1≤k≤n
.
2. Compute
kG=(x1,y1)kG = (x_1,y_1)
and convert
x1x_1
to an integer
x^1\widehat{x}_1
.
3. Compute
r=x1 mod nr=x_1\ mod\ n
. If
r=0r=0
then go to step 1.
4. Compute
k1 mod nk^{-1}\ mod\ n
.
5. Compute
Hash(m)Hash(m)
and convert this bit string to an integer
ee
.
6. Compute
s=k1(e+dr) mod ns=k^{-1} (e + dr)\ mod\ n
. If
s=0s=0
then go to step 1.
7. Signature for the message
mm
is
(r,s)(r,s)
.
Signature verification:
1. Verify that
rr
and
ss
are integers in the interval
[1,n1][1,n-1]
.
2. Compute
Hash(m)Hash(m)
and convert this bit string to an integer
ee
.
3. Compute
w=s1 mod nw = s^{-1}\ mod\ n
.
4. Compute
u1=ew mod nu_1 = ew\ mod\ n
and
u2=rw mod nu_2 = rw\ mod\ n
.
5. Compute
X=u1G+u2QX = u_1G+u_2Q
.
6. If
X=θX=\theta
then reject the signature. Otherwise, convert the
xx
-coordinate
x1x_1
of
XX
to an integer
x^1\widehat{x}_1
, and compute
v=x^1 mod nv=\widehat{x}_1\ mod\ n
.

Aggregated Signatures

BLS 12381

BLS (Boneh, Lynn, Shacham) is another digital signature introduced in 2001 and has an aggregated structure. Let
e:G1×G2G3e: \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_3
be a pairing where
G1, G2\mathbb{G_1},\ \mathbb{G_2}
are additive groups and
G3\mathbb{G_3}
is a multiplicative group. Also, let
G1,G2G_1, G_2
and
G3G_3
are base elements of
G1, G2\mathbb{G_1},\ \mathbb{G_2}
and
G3\mathbb{G_3}
respectively.
Public and Private Key Pair
(pk,sk)(pk,sk)
:
· The private key
sksk
to be used for signing is just a randomly chosen number between
[1,r1][1,r-1]
.
· The corresponding public key is
pk=[sk]G1pk=[sk]G_1
.
Signing:
· To sign a message
mm
we first need to map
mm
onto a point in group
G2\mathbb{G_2}
. Let’s assume this mapping results in a
G2\mathbb{G}_2
point
H(m)H(m)
.
· We sign the message by calculating the signature
σ=skH(m)\sigma=skH(m)
.
Verification:
Given a message
mm
, a signature
σ\sigma
, and a public key
pkpk
, we want to verify that it was signed with the
sksk
.
· The signature is valid if, and only if,
e(G1,σ)=e(pk,H(m))e(G_1,\sigma) = e(pk,H(m))
.
Aggregation
One of the most important properties of BLS signatures is that they can be aggregated
· To aggregate signatures, we just must add up the
G2\mathbb{G}_2
points they correspond to:
σaggregated=σ1+σ2+...+σn\sigma_{aggregated} = \sigma_1 + \sigma_2 + ...+ \sigma_n
.
· We also aggregate the corresponding
G1G_1
public key point
pkaggregated=pk1+pk2+...+pknpk_{aggregated}=pk_1+pk_2+...+pk_n
.
· Verify that
e(G1,σaggregated)=e(pkaggregated,H(m))e(G_1,\sigma_{aggregated})=e(pk_{aggregated}, H(m))
to verify all the signatures together with just two pairings.

BN256 Curves

BN256 is basically the size of the prime number of the underlying field in
G1, G2\mathbb{G}_1,\ \mathbb{G}_2
and
G3\mathbb{G}_3
. In a BN256 curve,
G2\mathbb{G}_2
is basically
E(GF(p)), G2E(GF(p)),\ \mathbb{G}_2
is a subgroup of
E(GF(p12))E(GF(p^{12}))
and
G3\mathbb{G}_3
is a subgroup of
GF(p12)GF(p^{12})
. Elements of
G1\mathbb{G}_1
requires the same number of bits as
pp
for each elliptic curve point. We would like to highlight that not all prime-friendly curves support cofactor 1. This means that we may need a larger prime for a particular group order in some cases. Elements of
G2\mathbb{G}_2
require the same as
pkpk
for each elliptic curve point coordinate, where
kk
is the embedding degree of the curve. When using twisted curves, we can reduce this by 2, 3, 4, or 6 depending on the curve. BN curves have embedding degree 12 and support twists, therefore we can use elements with the same size as
p126=p2p^{\frac{12}{6}} = p^2
.