docs: align BLS signature section with Pedersen scheme configuration

docs/concepts/01-Cryptography.md

@@ -102,36 +102,36 @@ Below we first describe regular [BLS signatures](https://www.iacr.org/archive/as
 
 #### BLS signature
 
-BLS signatures are short signatures that rely on bilinear pairings and consist only of a single element in $\mathbb{G}_1$.
+BLS signatures are signatures that rely on bilinear pairings and consist only of a single element in $\mathbb{G}_2$.
 
 They are _deterministic_ in the sense that a BLS signature depends only on the message and the signer's key unlike other signature schemes, such as
 [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm), which requires a fresh random value for each signed message to be secure.
 
 Put differently, any two BLS signatures on a given message produced with the same key are identical. In drand, we utilize this property to achieve unbiasability for the randomness generation. The BLS signature scheme consists of the following sub-procedures:
 
-**Key Generation**: To generate a key pair, a signer first chooses a private key $x \in \mathbb{Z}_p^{\ast}$ at random and then computes the corresponding public key as $X = g_2^x \in \mathbb{G}_2$.
+**Key Generation**: To generate a key pair, a signer first chooses a private key $x \in \mathbb{Z}_p^{\ast}$ at random and then computes the corresponding public key as $X = g_1^x \in \mathbb{G}_1$.
 
-**Signature Generation**: Let $H : \{0,1\}^{\ast} \to \mathbb{G}_1$ denote a cryptographic hash function that maps arbitrary bit strings to elements of $\mathbb{G}_1$.
+**Signature Generation**: Let $H : \{0,1\}^{\ast} \to \mathbb{G}_2$ denote a cryptographic hash function that maps arbitrary bit strings to elements of $\mathbb{G}_2$.
 
-To compute a BLS signature $\sigma$ on a message $m$, the signer simply computes $\sigma = xH(m) \in \mathbb{G}_1$.
+To compute a BLS signature $\sigma$ on a message $m$, the signer simply computes $\sigma = xH(m) \in \mathbb{G}_2$.
 
-**Signature Verification**: To verify that a BLS signature $\sigma$ on a message $m$ is valid, the verifier checks if $e(H(m),X) = e(\sigma,g_2)$ holds using the signer’s public key $X$.
+**Signature Verification**: To verify that a BLS signature $\sigma$ on a message $m$ is valid, the verifier checks if $e(X, H(m)) = e(g_1, \sigma)$ holds using the signer’s public key $X$.
 
-It is easy to see that this equation holds for valid signatures since $e(H(m),X) = e(H(m),g_2^x) = e(H(m),g_2)^x = e(xH(m),g_2) = e(\sigma,g_2)$
+It is easy to see that this equation holds for valid signatures since $e(X, H(m)) = e(g_1^x, H(m)) = e(g_1, H(m))^x = e(g_1, xH(m)) = e(g_1, \sigma)$
 
 #### Signature threshold
 
 The goal of a threshold signature scheme is to collectively compute a signature by combining individual partial signatures independently generated by the participants. A threshold BLS signature scheme has the following sub-procedures:
 
-**Key Generation**: The $n$ participants execute a $t$-of-$n$ DKG to setup a collective public key $S \in \mathbb{G}_2$, and private key shares $s_i \in \mathbb{Z}_p^{\ast}$ of the unknown collective private key $s$, as described above.
+**Key Generation**: The $n$ participants execute a $t$-of-$n$ DKG to setup a collective public key $S \in \mathbb{G}_1$, and private key shares $s_i \in \mathbb{Z}_p^{\ast}$ of the unknown collective private key $s$, as described above.
 
 **Partial Signature Generation**: To sign a message $m$ each participant $i$ uses their private key share $s_i$ to create a _partial BLS signature_ $\sigma_i = s_{i}H(m)$.
 
-**Partial Signature Verification**: To verify the correctness of a partial signature $\sigma_i$ on $m$, a verifier uses the public key share $S_i$, which is generated during the DKG, and verifies that $e(H(m),S_i) = e(\sigma_i,g_2)$ holds.
+**Partial Signature Verification**: To verify the correctness of a partial signature $\sigma_i$ on $m$, a verifier uses the public key share $S_i$, which is generated during the DKG, and verifies that $e(S_i, H(m)) = e(g_1, \sigma_i)$ holds.
 
 **Signature Reconstruction**: To reconstruct the collective BLS signature $\sigma$ on $m$, a verifier first needs to gather $t$ different and valid partial BLS signatures $\sigma_i$ on $m$ followed by a Lagrange interpolation on them.
 
-**Signature Verification**: To verify a collective BLS signature $\sigma$, a verifier simply checks that $e(H(m),S_i) = e(\sigma_i,g_2)$ holds where $S$ is the collective public key.
+**Signature Verification**: To verify a collective BLS signature $\sigma$, a verifier simply checks that $e(S, H(m)) = e(g_1, \sigma)$ holds where $S$ is the collective public key.
 
 Thanks to the properties of Lagrange interpolation, the value of $\sigma$ is independent of the subset of $t$ valid partial signatures $\sigma_i$ chosen during signature reconstruction.