From 86d5f7a3a160b8abd026b8590d09b39b7e963ac8 Mon Sep 17 00:00:00 2001
From: Arnould Geelhand <64195039+Gimzou@users.noreply.github.com>
Date: Sun, 23 Nov 2025 18:05:04 +0100
Subject: [PATCH] docs: align BLS signature section with Pedersen scheme
 configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The BLS signature and threshold signature sections now describe the
Pedersen scheme configuration (G₁ keys, G₂ signatures) rather than
the RFC9380 configuration (G₂ keys, G₁ signatures).

Changes:
- Public keys: G₂ → G₁ (48 bytes)
- Signatures: G₁ → G₂ (96 bytes)
- Hash function: H: {0,1}* → G₁ changed to H: {0,1}* → G₂
- Updated all pairing equations: e(H(m),X) = e(σ,g₂) → e(X,H(m)) = e(g₁,σ)
- Updated threshold signature equations to match
- Fixed signature verification to use collective values (S, σ) instead
  of partial values (Sᵢ, σᵢ)

This provides better flow into the "Smaller signatures" section which
explains how the RFC9380 scheme swaps these group assignments to
achieve smaller signatures. The general description now matches the
historically primary Pedersen schemes used by most drand networks.
---
 docs/concepts/01-Cryptography.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/concepts/01-Cryptography.md b/docs/concepts/01-Cryptography.md
index 3394f44..12a2ded 100644
--- a/docs/concepts/01-Cryptography.md
+++ b/docs/concepts/01-Cryptography.md
@@ -102,36 +102,36 @@ Below we first describe regular [BLS signatures](https://www.iacr.org/archive/as
 
 #### BLS signature
 
-BLS signatures are short signatures that rely on bilinear pairings and consist only of a single element in $\mathbb{G}_1$.
+BLS signatures are signatures that rely on bilinear pairings and consist only of a single element in $\mathbb{G}_2$.
 
 They are _deterministic_ in the sense that a BLS signature depends only on the message and the signer's key unlike other signature schemes, such as
 [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm), which requires a fresh random value for each signed message to be secure.
 
 Put differently, any two BLS signatures on a given message produced with the same key are identical. In drand, we utilize this property to achieve unbiasability for the randomness generation. The BLS signature scheme consists of the following sub-procedures:
 
-**Key Generation**: To generate a key pair, a signer first chooses a private key $x \in \mathbb{Z}_p^{\ast}$ at random and then computes the corresponding public key as $X = g_2^x \in \mathbb{G}_2$.
+**Key Generation**: To generate a key pair, a signer first chooses a private key $x \in \mathbb{Z}_p^{\ast}$ at random and then computes the corresponding public key as $X = g_1^x \in \mathbb{G}_1$.
 
-**Signature Generation**: Let $H : \{0,1\}^{\ast} \to \mathbb{G}_1$ denote a cryptographic hash function that maps arbitrary bit strings to elements of $\mathbb{G}_1$.
+**Signature Generation**: Let $H : \{0,1\}^{\ast} \to \mathbb{G}_2$ denote a cryptographic hash function that maps arbitrary bit strings to elements of $\mathbb{G}_2$.
 
-To compute a BLS signature $\sigma$ on a message $m$, the signer simply computes $\sigma = xH(m) \in \mathbb{G}_1$.
+To compute a BLS signature $\sigma$ on a message $m$, the signer simply computes $\sigma = xH(m) \in \mathbb{G}_2$.
 
-**Signature Verification**: To verify that a BLS signature $\sigma$ on a message $m$ is valid, the verifier checks if $e(H(m),X) = e(\sigma,g_2)$ holds using the signer’s public key $X$.
+**Signature Verification**: To verify that a BLS signature $\sigma$ on a message $m$ is valid, the verifier checks if $e(X, H(m)) = e(g_1, \sigma)$ holds using the signer’s public key $X$.
 
-It is easy to see that this equation holds for valid signatures since $e(H(m),X) = e(H(m),g_2^x) = e(H(m),g_2)^x = e(xH(m),g_2) = e(\sigma,g_2)$
+It is easy to see that this equation holds for valid signatures since $e(X, H(m)) = e(g_1^x, H(m)) = e(g_1, H(m))^x = e(g_1, xH(m)) = e(g_1, \sigma)$
 
 #### Signature threshold
 
 The goal of a threshold signature scheme is to collectively compute a signature by combining individual partial signatures independently generated by the participants. A threshold BLS signature scheme has the following sub-procedures:
 
-**Key Generation**: The $n$ participants execute a $t$-of-$n$ DKG to setup a collective public key $S \in \mathbb{G}_2$, and private key shares $s_i \in \mathbb{Z}_p^{\ast}$ of the unknown collective private key $s$, as described above.
+**Key Generation**: The $n$ participants execute a $t$-of-$n$ DKG to setup a collective public key $S \in \mathbb{G}_1$, and private key shares $s_i \in \mathbb{Z}_p^{\ast}$ of the unknown collective private key $s$, as described above.
 
 **Partial Signature Generation**: To sign a message $m$ each participant $i$ uses their private key share $s_i$ to create a _partial BLS signature_ $\sigma_i = s_{i}H(m)$.
 
-**Partial Signature Verification**: To verify the correctness of a partial signature $\sigma_i$ on $m$, a verifier uses the public key share $S_i$, which is generated during the DKG, and verifies that $e(H(m),S_i) = e(\sigma_i,g_2)$ holds.
+**Partial Signature Verification**: To verify the correctness of a partial signature $\sigma_i$ on $m$, a verifier uses the public key share $S_i$, which is generated during the DKG, and verifies that $e(S_i, H(m)) = e(g_1, \sigma_i)$ holds.
 
 **Signature Reconstruction**: To reconstruct the collective BLS signature $\sigma$ on $m$, a verifier first needs to gather $t$ different and valid partial BLS signatures $\sigma_i$ on $m$ followed by a Lagrange interpolation on them.
 
-**Signature Verification**: To verify a collective BLS signature $\sigma$, a verifier simply checks that $e(H(m),S_i) = e(\sigma_i,g_2)$ holds where $S$ is the collective public key.
+**Signature Verification**: To verify a collective BLS signature $\sigma$, a verifier simply checks that $e(S, H(m)) = e(g_1, \sigma)$ holds where $S$ is the collective public key.
 
 Thanks to the properties of Lagrange interpolation, the value of $\sigma$ is independent of the subset of $t$ valid partial signatures $\sigma_i$ chosen during signature reconstruction.