A BLS12-381 signature library written in C and assembly focused on performance and security.

This library has not yet been audited. Use at your own risk.

Compliant with IETF draft specifications:

• IETF BLS Signature V2
• IETF Hash-to-Curve V9

Support for x86_64 and ARM64

Support for Linux, Mac, and Windows

Explicit bindings for other languages

• Go
• Rust

Unless deemed appropriate to implement specific one, bindings for other languages will be provided using SWIG

• so far tested Python

Formal verification will be rolling in to various components of the library over the coming months utilizing cryptol and coq

• Field, curve and bulk signature operations

The blst API is defined in the C header bindings/blst.h. The API can be categorized as follows with some example operations:

• Field (add, sub, mul, neg, inv, to/from Montgomery)
• Curve (add, double, mul, to/from affine, group check)
• Intermediate (hash to curve, pairing, serdes)
• BLS12-381 signature core (sign, verify, aggregate)

Note there is also an auxiliary header file bindings/blst_aux.h that is used as a staging area for experimental interfaces that may or may not get promoted to blst.h.

The build process is very simple and only requires a C complier. It's integrated into Go and Rust ecosystems, so that respective users would go about as they would with any other external module. Otherwise a binary library would have to be compiled.

A static library called libblst.a can be built in current working directory of user's choice.

Linux, Mac, and Windows (in MinGW or Cygwin environments)

/some/where/build.sh

Windows (Visual C)

\some\where\build.bat

Bindings to other languages that implement minimal-signature-size and minimal-pubkey-size variants of the BLS signature specification are provided as follows:

TODO - basic details

For more details see the Go binding readme.

blst is the Rust binding crate.

To use min-pk version:

use blst::min_pk::*;

To use min-sig version:

use blst::min_sig::*;

For more details see the Rust binding readme.

TODO - example swig build/usage

The goal of the blst library is to provide a foundational component for applications and other libraries that require high performance and formally verified BLS12-381 operations. With that in mind some decisions are made to maximize the public good beyond BLS12-381. For example the field operations are optimized for general 384-bit usage as opposed to tuned specifically for the 381-bit BLS12-381 curve parameters. With the formal verification of these foundational components, we believe they can provide a reliable building block for other curves that would like high performance and an extra element of security.

Library deliberately abstains from dealing with memory management and multi-threading with rationale that these ultimately belong in language-specific bindings. Another responsibility that is left to application is random number generation. All this in the name of ultimate run-time neutrality, which makes integration into more stringent environments like Intel SGX or ARM TrustZone trivial.

The assembly code is wrapped into Perl scripts which output an assembly file based on the ABI and operating system. In the build directory there are pre-build assembly files for elf, mingw64, masm, and macosx. See build.sh or refresh.sh for usage. This method allows for simple reuse of optimized assembly across various platforms with minimal effort.

Serialization formatting is implemented according to Appendix A. BLS12-381 of the IETF spec that calls for using the ZCash definition.

Currently both the Go and Rust bindings provide benchmarks for a variety of signature related operations.

The blst library is licensed under the Apache License Version 2.0 software license.