Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE

Internet-Draft	Barreto-Lynn-Scott Elliptic Curve Key Re	November 2025
Looker & Jones	Expires 8 May 2026	[Page]

Abstract

This specification defines how to represent cryptographic keys for the pairing-friendly elliptic curves known as Barreto-Lynn-Scott (BLS), for use with the key representation formats of JSON Web Key (JWK) and COSE (COSE_Key).¶

1. Introduction

This specification defines how to represent cryptographic keys for the pairing-friendly elliptic curves known as Barreto-Lynn-Scott [BLS], for use with the key representation formats of JSON Web Key (JWK) and COSE_Key. This specification registers the elliptic curves in appropriate IANA JOSE and COSE registries.¶

There are a variety of applications for pairing based cryptography including schemes already published as RFCs, such as Identity-Based Cryptography [RFC5091] Sakai-Kasahara Key Encryption (SAKKE) [RFC6508], and Identity-Based Authenticated Key Exchange (IBAKE) [RFC6539]. SAKKE is applied to Multimedia Internet KEYing (MIKEY) via [RFC6509] and IBAKE is applied for a similar application via [RFC6267].¶

This branch of cryptography has also been used to develop privacy-preserving cryptographic hardware attestations schemes, including the Elliptic Curve Direct Anonymous Attestation (ECDAA) in the Trusted Platform Modules [TPM] specified by the Trusted Computing Group. Further work on similar schemes has also occurred at the FIDO Alliance [ECDAA]. Similarly, Intel released [EPID] which provides a solution to remote hardware attestation for Intel Software Guard Extension (SGX) enabled environments.¶

More recently, applications of pairing based cryptography using the Barreto-Lynn-Scott curves include the standardization effort for BLS Signatures [id.draft.bls-signature], which are used extensively in multiple blockchain projects due to their unique signature aggregation properties, including [Ethereum] [DFINITY] [Algorand]. Additionally, efforts are under way to standardize the general purpose short group signature scheme of BBS Signatures [BBS], which features novel properties such as multi-message signing and selective disclosure alongside zero knowledge proving. It is intended that this draft will help with these efforts by standardizing the associated cryptographic key representation in the popular formats of JWK and COSE_Key.¶

Other relevant work to this draft includes [JWP] which is extending the JOSE family of specifications to provide support for representing a variety of new proof based cryptographic schemes such as [BBS] which as referred to above uses the Barreto-Lynn-Scott curves.¶

There are multiple different pairing-friendly curves in active use; however, this draft focuses on a definition for the Barreto-Lynn-Scott curves due to them being the most "widely used" and "efficient" whilst achieving 128-bit and 256-bit security (BLS12-381 and BLS48-581 respectively).¶

More extensive discussion on the broader application of pairing based cryptography and the assessment of various elliptic curves (including the BLS family) can be found in [id.draft.pairing-friendly-curves].¶

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

2.1. Point Coordinates Encoding

A point representing a public key will either be in the G1 or G2 subgroup of a curve. Both are encoded using the compressed serialized point format defined normatively in Appendix B.2 of [BBS] and in Appendix C.¶

2.2. Representation Definition

The following definitions apply to the pairing-friendly elliptic curves known as the Barreto-Lynn-Scott (BLS) curves.¶

2.2.1. JSON Web Key Representation

When expressing a cryptographic key for these curves in JSON Web Key (JWK) form, the following rules apply:¶

The parameter "kty" MUST be present and set to "OKP".¶
The parameter "crv" MUST be present and value MUST be one defined in Section 2.2.3.¶
The parameter "x" MUST be present with its value being the base64url encoding of the compressed serialized point format defined normatively in Appendix B of [BBS].¶
The parameter "d" MUST be present for private key representations whose value MUST contain the big-endian representation of the private key base64url encoded without padding as defined in [RFC7515] Appendix C. This parameter MUST NOT be present for public keys.¶

2.2.2. COSE_Key Representation

When expressing a cryptographic key for these curves in COSE_Key form, the following rules apply:¶

The parameter "kty" (1) MUST be present and set to "OKP" (1).¶
The parameter "crv" (-1) MUST be present and value MUST be one defined in Section 2.2.3.¶
The parameter "x" (-2) MUST be present with its value being the compressed serialized point format defined normatively in Appendix B of [BBS].¶
The parameter "d" (-4) MUST be present for private key representations whose value MUST contain the big-endian representation of the private key. This parameter MUST NOT be present for public keys.¶

2.2.3. Curve Parameter Registration

Table 1
JWK "crv" value	COSE_Key "crv" value	Description
BLS12381G1	TBD (13 requested)	A cryptographic key on the Barreto-Lynn-Scott (BLS) curve featuring an embedding degree 12 with 381-bit p in the subgroup of G1 defined as `E(GF(p))` of order r. The private key will be 32 bytes long. The public key will be 48 bytes long.
BLS12381G2	TBD (14 requested)	A cryptographic key on the Barreto-Lynn-Scott (BLS) curve featuring an embedding degree 12 with 381-bit p in the subgroup of G2 defined as `E(GF(p^2))` of order r. The private key will be 32 bytes long. The public key will be 96 bytes long.
BLS48581G1	TBD (15 requested)	A cryptographic key on the Barreto-Lynn-Scott (BLS) curve featuring an embedding degree 48 with 581-bit p in the subgroup of G1 defined as `E(GF(p))` of order r. The private key will be 65 bytes long. The public key will be 73 bytes long.
BLS48581G2	TBD (16 requested)	A cryptographic key on the Barreto-Lynn-Scott (BLS) curve featuring an embedding degree 48 with 581-bit p in the subgroup of G2 defined as `E(GF(p^8))` of order r. The private key will be 65 bytes long. The public key will be 584 bytes long.

4. IANA Considerations

4.1. JSON Web Key (JWK) Elliptic Curve Registrations

This section registers the following values in the IANA "JSON Web Key Elliptic Curve" registry [IANA.JOSE.Curves].¶

BLS12381G1¶

Curve Name: BLS12381G1¶
Curve Description: 381 bit with an embedding degree of 12 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E(GF(p))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.1 ¶

BLS12381G2¶

Curve Name: BLS12381G2¶
Curve Description: 381 bit with an embedding degree of 12 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E'(GF(p^2))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.1 ¶

BLS48581G1¶

Curve Name: BLS48581G1¶
Curve Description: 581 bit with an embedding degree of 48 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E(GF(p))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.1 ¶

BLS48581G2¶

Curve Name: BLS48581G2¶
Curve Description: 581 bit with an embedding degree of 48 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E'(GF(p^8))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.1 ¶

4.2. COSE Elliptic Curve Registrations

This section registers the following value in the IANA "COSE Elliptic Curves" registry [IANA.COSE.Curves].¶

BLS12381G1¶

Curve Name: BLS12381G1¶
Value: TBD (13 requested)¶
Key Type: OKP¶
Curve Description: 381 bit with an embedding degree of 12 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E(GF(p))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.2 ¶
Recommended: Yes¶

BLS12381G2¶

Curve Name: BLS12381G2¶
Value: TBD (14 requested)¶
Key Type: OKP¶
Curve Description: 381 bit with an embedding degree of 12 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E'(GF(p^2))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.2 ¶
Recommended: Yes¶

BLS48581G1¶

Curve Name: BLS48581G1¶
Value: TBD (15 requested)¶
Key Type: OKP¶
Curve Description: 581 bit with an embedding degree of 48 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E(GF(p))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.2 ¶
Recommended: Yes¶

BLS48581G2¶

Curve Name: BLS48581G2¶
Value: TBD (16 requested)¶
Key Type: OKP¶
Curve Description: 581 bit with an embedding degree of 48 Barreto- Lynn-Scott pairing-friendly curve using the r-order subgroup of E'(GF(p^8))¶
JOSE Implementation Requirements: Optional¶
Change Controller: IESG¶
Specification Document(s): Section 2.2.2 ¶
Recommended: Yes¶

5. References

5.1. Normative References

[BLS]: Barreto, P., Lynn, B., and M. Scott, "Constructing Elliptic Curves with Prescribed Embedding Degrees", 2003, <https://link.springer.com/chapter/10.1007/3-540-36413-7_19>.
[IANA.COSE.Curves]: IANA, "COSE Elliptic Curves", <https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves>.
[IANA.JOSE.Curves]: IANA, "JOSE Elliptic Curves", <https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve>.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC7515]: Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7517]: Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, <https://www.rfc-editor.org/info/rfc7517>.
[RFC8152]: Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, <https://www.rfc-editor.org/info/rfc8152>.

5.2. Informative References

[BBS]: IRTF CFRG, "The BBS Signature Scheme", 7 July 2025, <https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures-09.html>.
[ECDAA]: FIDO Alliance, "ECDAA Algorithm", 2018, <https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html>.
[EPID]: Intel Corporation, "Intel (R) SGX: Intel (R) EPID Provisioning and Attestation Services", <https://software.intel.com/en-us/download/intel-sgx-intel-epid-provisioning-and-attestation-services>.
[JWP]: Miller, J., Waite, D., and M. Jones, "JSON Web Proof", 21 October 2023, <https://www.ietf.org/archive/id/draft-ietf-jose-json-web-proof-02.html>.
[RFC5091]: Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, DOI 10.17487/RFC5091, December 2007, <https://www.rfc-editor.org/info/rfc5091>.
[RFC6267]: Cakulev, V. and G. Sundaram, "MIKEY-IBAKE: Identity-Based Authenticated Key Exchange (IBAKE) Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)", RFC 6267, DOI 10.17487/RFC6267, June 2011, <https://www.rfc-editor.org/info/rfc6267>.
[RFC6508]: Groves, M., "Sakai-Kasahara Key Encryption (SAKKE)", RFC 6508, DOI 10.17487/RFC6508, February 2012, <https://www.rfc-editor.org/info/rfc6508>.
[RFC6509]: Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)", RFC 6509, DOI 10.17487/RFC6509, February 2012, <https://www.rfc-editor.org/info/rfc6509>.
[RFC6539]: Cakulev, V., Sundaram, G., and I. Broustis, "IBAKE: Identity-Based Authenticated Key Exchange", RFC 6539, DOI 10.17487/RFC6539, March 2012, <https://www.rfc-editor.org/info/rfc6539>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[TPM]: Trusted Computing Group, "Trusted Platform Module", <https://trustedcomputinggroup.org/>.
[id.draft.bls-signature]: IRTF CFRG, "BLS Signatures", 16 June 2022, <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05>.
[id.draft.pairing-friendly-curves]: IRTF CFRG, "Pairing-Friendly Curves", 10 May 2023, <https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-11.html>.

Appendix A. JSON Web Key Examples

A.1. BLS12381 Key Pairs

The following examples showcase JWKs for both the G1 and G2 subgroups of the BLS12381 curve. Note, the examples also include the corresponding private key, expressed through the inclusion of the "d" parameter.¶

An example JWK for the BLS12381 curve where the public key is in the G1 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS12381G1",
  "x": "iQ5g10FLC8VIX4b0jjN1ofvjStLU1tL0xN-_CpcHNPiQMT6qtk8hYBmbyevZWu5y",
  "d": "csnGswuvtF4lLJ5g7xdlFRbOKI1N7XaPhFdLZc408JU"
}

Another example of a different JWK for the BLS12381 curve where the public key is in the G1 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS12381G1",
  "x": "q6GrMMvlJ46PKeaj-IoTBtr9MDpORjmE8rQjUNOgsYXIBRYZhMn0XWCHdNWyZos_",
  "d": "H--QT8IQCXMHlYHEVBy6Z2yU4jENSPcmB6eVvcOWDHI"
}

An example JWK for the BLS12381 curve where the public key is in the G2 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS12381G2",
  "x": "pVD25M3Ca0jOBmHizej_YwuVOEIadk44urQcQQD3uhITsWj5LdgRmjTkftCme9KQ
EReUf5yoxPi7pDDx4UdkmTXtzuaIKm9YY2cOpT5dO26ttBSzneQEUFhHpM3sdUmf",
  "d": "XdXO0OOc6YrVTKEPIR6JmmTSDDA5Y5pxCyY5TRI0k5c"
}

Another example of a different JWK for the BLS12381 curve where the public key is in the G2 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS12381G2",
  "x": "o-w6GPtbZuiG7pEZ7Jelw925pirHQIunTOnLy-F68HSs3A2ejcukZFeYkyWOsVyI
DZKkES69mX0UBhUeyHI_DaZMv3YbSs_9Q1YxtJVn4uaneEykAFtTJyCSh2A6H1S7",
  "d": "MpN9MF6G6pmiZaJN6WOjWM2LQt07Blgb7WeJQbsKxWY"
}

A.2. BLS48581 Key Pairs

The following examples showcase JWKs for both the G1 and G2 subgroups of the BLS48581 curve. As before, note that the examples also include the corresponding private key, expressed through the inclusion of the "d" parameter.¶

An example JWK for the BLS48581 curve where the public key is in the G1 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS48581G1",
  "x": "jKj8Qmvi52Lky3VXrVaK7rEjW5lFBimGpicaEXPcsYrKzTjV5rRXYwtUog3QqY8Ub
aE7cGD2ppQXtR2KWfK6DpHWXy2HaGWS4g",
  "d": "EKF6v4ZUUDPLp52MWzpmTUg-S_-e01R08TcSH_wSUFkD4QteRbC13LEJE0W7aGJIV
i1BoLLaAcuTbJxwI_1qAbs"
}

Another example of a different JWK for the BLS48581 curve where the public key is in the G1 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS48581G1",
  "x": "q9xqInwvGl6wXUITFFQMUUP4WKdVfmuTSS8gXsoe9ds1R78KR2xMoodMY9iTrWcD
eTYlOiFaRCxjMKhdgEwO3XMbKAnqPbUyQA",
  "d": "DKrY4HjY_A9pER9o0-YZ2AFq7VbNFEjsnXhGV6eKzgotb2cND-8E5bRb8zahSSAN
JqXHSTka7RAswU-8fprn0v0"
}

An example JWK for the BLS48581 curve where the public key is in the G2 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS48581G2",
  "x": "g7cSrDeOkRJ5WXJMzb5OsLSWaAeVe8yXBxprZRTl9I8722A19NXCS8iR3xbTk-1V
am8dY4ZBV2TzeIWJT79GZNC2aTsup-WvSwqtB8gyafGtIXd0VSYkA3ApQosFTJoqro2vMk5Y
AuFKMvDzVaKR66zmCU6eLPeiWKiUsoOxV8g7VIo5p6Kxb9-wr6_MVEA2LfUMj1ecZXVf17XI
kvAt14iDUWVr8bouQOTGD00WS6o1dzPpacffZTd39285o4sNpFtOD2RRzHSm_imsYM7B9c5d
p0FAree2Om_hC6bYHBzdginDi84nOFCv1WzRb57Hy0tos8BY_3J-Tk70XS_7ren7OUyuQd1G
WLwhgMvHIFb7mxBOpxYTbP4_OYqNlDkpB4nA5A7lT5cjIbLHnj94Vn-HwFfLa6imE6zwt7Fa
IF9bwo3RUdwOn_Af75afZsxZ6xbDndOCxuHK0rDc8TQ9jZ4mFOqk6QNKl69dq8cQoc6eZnlJ
0DiD1_2QUGytR8PDK-a74mXrzfY51xifhq6bRVq1YdlnTk_afFMNIf6hLF2p_LcowHJ902--
0kUNUNzmYyYw2IoUCIjrvnJE2qwFKD6AseoQ18m3i1jeG6_i9KXT8QH9s-Wnp7hwv49wBIr2
dXOo-IB3T5jLm2hKm_w5e2GJRKabm5nSdr5L2YCGAwrupLy3vo2KFPUTX2evpzIaU4a455Ny
gWNka59tht-QcB4s5JK6X8h-m99Nbn4wgJAuHo2g9TSDyUK7l7UJVkx2rEckQfPj2fs",
  "d": "DMEAsp5YBiZvmzxnmZaA4baSfqc5-UK_tJBlJCP2_ig5ZEq0C7XAhI6jhHZX0y2H
XZUk9_y9QI_68dAwugoguh0"
}

Another example of a different JWK for the BLS48581 curve where the public key is in the G2 subgroup.¶

{
  "kty": "OKP",
  "crv": "BLS48581G2",
  "x": "pYOX8QwBD32Rs4fvEGskWN5Fxbm1QYWDlGOIMfDSIBr1lJF0qj4UnKZngrHvjIQe
HSHfEjM8-1Z5xvjoehD7nDps0JEVQvr2eg4EEG5aRnL8F5uIo2QNdExwadKjjNu8tIvpjF_l
Bnoqy-RZyMGSPpIMxHnJMmO2VgtDYUft1WuVyrIjiFIDBSCnchYa734IV7MDbbyDofBnQl4L
F7Qn5mKt-r-WRmAf0gh_xEUW5d1D9XiLE3goIqfwiKUo4AoM2AkwQFCm6dImzJRAf5OMBwN3
U2uo-LeCMKXZDDsyARadT_zzbhDwYyiznjHssxONiukY25dXHQ1NOW_4ow0YI1O30a8KGAW-
n6SNU4eLIXo4U5blqpu4189proxjUemeE_To9QMqDaaxx-nr_Hz4kbE2FdVPESqlepLGcGpR
N7M_BVOZ-G_9wPiWbBbOjKy0rweMd9eEs7FAt1kHtMFNvur2c4rnWMF_p-aZs7ALT2aSl2tU
VVOZcSm25wHs6mllSOqMfCfw_aFiiOnd5AovXIAPJChH0lJL5b-Ji0-KpiOYA92x0w9P-JBu
9TEtJhkTgh9qcDb7BwC43BJvfoFfF-xPNwC2ZYR_8-zajuwRgZwrIQ11LIIVLOuOyeGdbPG7
JMdaJrTubV6iDxkx9x42zD_Nvb-f0FTbk_uYuxT3KBBGbmD9Zz54OFvHel41dmBtFiHqUtxy
bb3d71OHeZyvxu8b6LMZ22JpjVzRja1l95CiLAfBAdMDHyxwYE8a_4j1p0Zp7KyHGB8",
  "d": "CHIVGUCPsLY0GIx9DgOZlxmJHIWYrupsXtuKLZmFLCu5evIxwxrKo0edTXuch7uc
N437IDzp4P5-WKYtVcWFUrU"
}

Appendix B. COSE_Key Examples

B.1. BLS12381 Key Pairs

The following examples showcase COSE_Key examples for both the G1 and G2 subgroups of the BLS12381 curve. Note, the examples also include the corresponding private key, expressed through the inclusion of the "d" (-4) parameter.¶

An example COSE_Key for the BLS12381 curve where the public key is in the G1 subgroup expressed as an octet string.¶

a40101200d215830890e60d7414b0bc5485f86f48e3375a1fbe34ad2d4d6d2f4c4dfbf0a
970734f890313eaab64f2160199bc9ebd95aee7223582072c9c6b30bafb45e252c9e60ef
17651516ce288d4ded768f84574b65ce34f095