When a new signature scheme like BLS, Schnorr, or a novel post-quantum algorithm is proposed, the review process begins with formal verification. Examine the published academic paper or specification for a clear security proof under standard models like the Random Oracle Model (ROM) or the Generic Group Model (GGM). Check for assumptions—does it rely on the Discrete Log Problem (DLP) or Learning With Errors (LWE)? A robust proof should define the exact security notions it achieves, such as Existential Unforgeability under Chosen Message Attacks (EUF-CMA). Be skeptical of schemes lacking peer-reviewed publication or those making vague security claims without formal backing.
LABS
Guides
How to Review Signature Scheme Proposals
A technical guide for developers and researchers to systematically evaluate new cryptographic signature proposals, covering security assumptions, performance, and implementation risks.
Chainscore © 2026
introduction
A PRACTICAL GUIDE
How to Review Signature Scheme Proposals
Evaluating cryptographic signature proposals requires a structured approach to assess security, performance, and implementation feasibility.
Next, analyze the performance characteristics and real-world trade-offs. For blockchain contexts, key metrics include signature size (in bytes), public key size, and the computational cost of KeyGen, Sign, and Verify operations. Compare these against established benchmarks. For instance, BLS signatures enable aggregation, reducing on-chain footprint, but require slower pairing operations. EdDSA (Ed25519) offers fast verification and deterministic nonces. A proposal should clearly state its performance in different environments (e.g., mobile vs. server) and provide benchmarks against standards like NIST's P-256 or secp256k1.
Implementation security is a critical, often overlooked layer. Review the proposal for side-channel resistance—are signing operations constant-time? Does the algorithm require secret-dependent branches or variable-time operations that could leak information? Examine the specification for explicit guidance on handling randomness. A good proposal will detail requirements for a cryptographically secure random number generator (CSPRNG) and warn against pitfalls, like nonce reuse in ECDSA. Look for a clear test vector suite to validate correct implementation, which is essential for interoperability.
Finally, consider the ecosystem and adoption feasibility. Does the scheme have a clear, standard serialization format (e.g., IEEE P1363, IETF RFC)? Are there mature, audited libraries in multiple languages (like Rust's arkworks or blst for BLS)? For blockchain integration, assess upgrade paths and backward compatibility. A proposal should address how it integrates with existing infrastructure, such as wallet standards (BIP-340 for Schnorr) or smart contract precompiles. The ultimate goal is a scheme that is not only theoretically sound but also practically deployable without introducing systemic risk.
prerequisites
PREREQUISITES FOR REVIEWERS
How to Review Signature Scheme Proposals
A guide to the foundational knowledge required to effectively evaluate new cryptographic signature schemes for blockchain protocols.
Reviewing a signature scheme proposal requires a solid understanding of core cryptographic primitives. You should be comfortable with the concepts of elliptic curve cryptography (ECC), finite fields, and the discrete logarithm problem. Familiarity with widely used schemes like ECDSA (Elliptic Curve Digital Signature Algorithm) and EdDSA (Edwards-curve Digital Signature Algorithm) is essential, as most new proposals are variations or improvements upon these standards. Understanding their components—key generation, signing, and verification—provides the baseline for comparison.
Beyond the basics, you must grasp the specific security properties a scheme must guarantee. These include existential unforgeability under chosen message attacks (EUF-CMA), which ensures an adversary cannot forge a signature for a new message. Reviewers should also assess resistance to side-channel attacks (like timing or power analysis) and fault injection attacks. Proposals often include formal security proofs; being able to critically evaluate the underlying assumptions and reduction arguments is a key skill for a reviewer.
For blockchain applications, performance and implementation details are critical. You need to analyze metrics like signature size (often 64 or 65 bytes for ECDSA), public key size, and computational cost for signing and verification. Consider the scheme's behavior in a decentralized environment: is signature aggregation possible? Does it enable efficient multi-signatures or threshold signatures? Review the proposed elliptic curve (e.g., secp256k1, Curve25519) and its properties, such as whether it supports efficient endomorphism or has a rigid design to avoid backdoors.
Finally, practical review involves examining the specification and reference implementation. The proposal should unambiguously define serialization formats, encoding rules (like DER for ECDSA or pure EdDSA), and domain separation. Scrutinize the provided code for common cryptographic pitfalls: constant-time execution to prevent timing leaks, proper handling of randomness, and secure memory management. A strong proposal will also include test vectors and a clear analysis of its advantages over existing schemes, such as improved speed, smaller signatures, or enhanced security properties.
key-concepts
SIGNATURE SCHEMES
Core Concepts to Evaluate
When reviewing a new signature scheme proposal, focus on these fundamental cryptographic and implementation properties to assess its security and viability.
02
Performance and Scalability
Evaluate computational and bandwidth costs for real-world use. Key metrics include:
- Signature size: Impacts on-chain gas costs and storage (e.g., BLS ~96 bytes, ECDSA ~65 bytes).
- Verification time: Critical for high-throughput blockchains and light clients.
- Key/signature aggregation: Ability to compress multiple signatures, a major advantage for rollups and committees. Benchmark against established schemes like ECDSA/secp256k1 and EdDSA/Ed25519.
04
Cryptographic Agility and Ecosystem Fit
Determine if the scheme enables new use cases or integrates with existing infrastructure. Consider:
- Signature aggregation for scalable consensus (used by Ethereum's Beacon Chain).
- Threshold signatures for distributed key generation (DKG) in multi-party computation.
- Compatibility with widely adopted curves (e.g., secp256k1, BLS12-381) and wallets. Evaluate if the benefits justify the ecosystem migration cost from current standards.
review-framework
GUIDE
The Review Framework: A Step-by-Step Process
A systematic methodology for evaluating cryptographic signature scheme proposals, from initial assessment to final recommendation.
Reviewing a new signature scheme proposal requires a structured approach to assess its security, efficiency, and practicality. The process begins with a preliminary assessment of the proposal's documentation. This involves verifying the clarity of the problem statement, the completeness of the specification, and the presence of a formal security model. A well-defined model should specify the adversarial capabilities (e.g., chosen message attacks) and the security goals (e.g., existential unforgeability). Missing or ambiguous definitions at this stage are a major red flag that must be addressed before deeper analysis.
The core of the review is the security analysis. This step involves scrutinizing the underlying hardness assumptions, such as the Discrete Logarithm Problem or Lattice-based problems. You must evaluate the provided security proof, checking for logical soundness, reduction tightness, and any hidden assumptions. For example, a proof for a Schnorr-based scheme should clearly reduce forgery to solving the discrete log. Concurrently, analyze the scheme for known cryptographic vulnerabilities like signature malleability, key recovery attacks, or fault injection weaknesses. Tools like formal verification frameworks (e.g., EasyCrypt, Cryptol) can be employed to automate parts of this analysis.
Next, conduct a performance and implementation audit. This involves benchmarking the scheme against established alternatives like ECDSA or BLS signatures. Key metrics include signature size (in bytes), public key size, and computational cost for signing and verification. Provide concrete numbers, such as: "Ed25519 produces 64-byte signatures, while the proposed scheme yields 96-byte signatures." Review the reference implementation for side-channel resistance (constant-time operations), proper randomness handling, and compliance with relevant standards (e.g., RFC 8032 for EdDSA). A lack of a constant-time scalar multiplication is a critical implementation flaw.
The final phase is ecosystem fit and recommendation. Determine the scheme's suitability for the intended application, such as blockchain consensus, secure messaging, or decentralized identity. Consider interoperability with existing systems and libraries. Synthesize your findings into a clear report with a risk assessment matrix, categorizing issues as critical, high, or low severity. Conclude with one of three recommendations: Adopt (scheme is sound and fit-for-purpose), Revise (requires specific changes), or Reject (fundamental flaws). This structured framework ensures a thorough, reproducible, and actionable review process for any signature scheme.
COMPARISON
Signature Scheme Security Properties
Key cryptographic properties to evaluate when selecting a signature scheme for blockchain protocols.
| Security Property | ECDSA | EdDSA (Ed25519) | BLS Signatures |
|---|---|---|---|
Signature Size | 64 bytes | 64 bytes | 96 bytes (G1) / 48 bytes (G2) |
Aggregation Support | |||
Quantum Resistance | |||
Deterministic Signatures | |||
Signature Verification Time | < 1 ms | < 0.5 ms | ~5-10 ms |
Post-Quantum Candidate | |||
Standardization Level | NIST FIPS 186-5 | RFC 8032 | IETF Draft |
Batch Verification |
common-red-flags
SIGNATURE SECURITY
Common Red Flags and Pitfalls
Critical vulnerabilities in signature schemes often stem from subtle design flaws. This guide outlines key red flags to identify during proposal reviews.
02
Missing Domain Separation
Signatures must be bound to a specific context to prevent cross-protocol attacks. A proposal lacking domain separation is a critical flaw.
- Risk: A signature valid for a transaction in Protocol A could be replayed for a different action in Protocol B.
- Solution: The scheme must hash a domain separator (e.g.,
\x19Ethereum Signed Message:\n<length>) along with the message. BLS signatures on Ethereum useETH2_prefixes for this purpose.
04
Weak or Custom Hash Functions
Proposals that specify non-standard or cryptographically weak hash functions are a severe red flag. The security of the signature relies entirely on the hash's collision resistance.
- Pitfall: Using SHA1, MD5, or a custom, unvetted hash function.
- Requirement: Insist on SHA-256, Keccak-256, or BLAKE2b. For elliptic curve schemes like EdDSA, the hash must match the curve's security level (e.g., SHA-512 for Ed25519).
05
Lack of Formal Security Proof
Any new or modified signature scheme presented without a peer-reviewed security proof should be treated with extreme skepticism. Ad-hoc designs are prone to unforeseen attacks.
- Check: The proposal should reference a proof in the random oracle model (ROM) or standard model under accepted hardness assumptions (e.g., Discrete Log, Elliptic Curve).
- Example: The security of Schnorr signatures is proven under the Discrete Logarithm assumption.
performance-analysis
ANALYZING PERFORMANCE AND GAS COSTS
How to Review Signature Scheme Proposals
A technical guide for developers and researchers to systematically evaluate the performance and on-chain cost implications of new cryptographic signature schemes.
When reviewing a new signature scheme proposal, start by establishing a clear baseline for comparison. For Ethereum and EVM-compatible chains, this typically means ECDSA with secp256k1 and BLS12-381. Your analysis must measure against these standards in two key dimensions: computational performance (verification speed, signing time) and on-chain gas costs. For gas analysis, create a minimal, optimized Solidity or Vyper implementation and benchmark it using tools like forge bench, hardhat-gas-reporter, or by deploying to a testnet and calling the contract directly. Document the gas cost for a single verification and for batch operations if supported.
Performance benchmarking should occur off-chain. Use standardized cryptographic libraries like libsecp256k1, bls-signatures, or the proposer's implementation in a language like Rust or C++. Measure CPU cycles and wall-clock time for critical operations: key generation, signing, and verification. For schemes claiming post-quantum security (e.g., based on lattices or hash functions), pay special attention to signature and public key sizes, as these directly impact calldata gas costs and storage overhead. A proposal must justify any increase in size with a commensurate security benefit.
Analyze the scheme's behavior under realistic blockchain conditions. How does verification gas scale with the number of signers in a multisig or the size of a Merkle proof? If the scheme enables signature aggregation, quantify the gas savings per additional signature in the batch. Be wary of precompiles: a proposal suggesting a new Ethereum precompile must demonstrate orders-of-magnitude improvement, as precompile gas pricing is complex and network upgrades are costly. Reference existing precompile gas costs, like ecrecover at 3000 gas or the BLS12-381 operations defined in EIP-2537.
Finally, synthesize your findings into a decision framework. Proposals should present a trade-off matrix. Does the new scheme reduce gas costs by 40% for batch verification but increase single-signature cost by 20%? Does it improve verification speed by 10x off-chain but require a new, audited precompile? The optimal choice depends on the specific application: a rollup prioritizes cheap batch verification for thousands of signatures, while a wallet contract needs efficient single-sig verification. Your review should provide the concrete data needed to make that application-specific decision.
SIGNATURE SCHEMES
Frequently Asked Questions
Common technical questions and troubleshooting guidance for developers evaluating and implementing signature scheme proposals.
When reviewing a proposal, assess these four fundamental properties:
1. Security Assumptions: What mathematical problem is security based on (e.g., Discrete Log, Lattice hardness)? Are assumptions novel or well-studied?
2. Signature Size & Verification Cost: Measure in bytes and gas/CPU cycles. For blockchain use, a 64-byte Ed25519 signature is a common benchmark.
3. Aggregation Capability: Can multiple signatures be combined into one? This is critical for scaling, as seen in BLS signatures used by Ethereum's consensus.
4. Quantum Resistance: Does the scheme rely on problems believed to be hard for quantum computers? Lattice-based schemes like Dilithium (selected for NIST post-quantum standardization) are leading candidates.
Always compare these metrics against the specific application's requirements, such as throughput for a rollup or key management for a wallet.
resource-links
DEVELOPER REVIEW TOOLING
Essential Resources and Tools
Practical resources and frameworks for reviewing cryptographic signature scheme proposals. These cards focus on how to evaluate security assumptions, implementation readiness, and standardization status when assessing new or draft schemes.
03
Security Model and Reduction Checklist
A signature proposal is only as strong as its formal security argument. Reviewing this does not require proving the scheme correct but does require verifying the structure of the claim.
Key questions to answer:
- Is the scheme proven secure in the Random Oracle Model or standard model?
- Are reductions tight or do they lose several bits of security?
- Are adversary capabilities clearly bounded (chosen-message, adaptive, multi-target)?
Red flags include:
- Security claims without a formal theorem
- Reductions that rely on undeclared hardness assumptions
- Parameter sets chosen "for efficiency" without quantified margins
This checklist approach prevents overvaluing novel constructions that lack rigorous grounding, which is critical for blockchain or consensus-layer adoption where upgrades are extremely costly.
04
Reference Implementations and Test Vectors
Reviewing a proposal without examining its reference implementation misses many practical risks.
What to look for:
- Availability of clean C or Rust reference code
- Presence of known-answer test vectors for signing and verification
- Deterministic vs randomized signing behavior
Implementation-level review should include:
- Constant-time enforcement for secret-dependent operations
- Clear separation between key generation, signing, and verification logic
- Memory access patterns that could leak via cache or power analysis
If no reference implementation exists, treat the proposal as research-stage only. Production readiness requires real code that survives fuzzing, cross-platform builds, and independent reimplementations.
05
Formal Verification and Symbolic Analysis Tools
Formal methods help validate cryptographic constructions beyond informal reasoning, especially for complex stateful or aggregate signature schemes.
Commonly used tools include:
- EasyCrypt for game-based proof modeling
- ProVerif for symbolic protocol analysis
- Coq or Isabelle for mechanized proofs of core properties
When reviewing a proposal, check whether:
- Any core properties have been machine-verified
- The model captures realistic adversary behavior
- Proof artifacts are publicly reproducible
While not mandatory for all schemes, formal verification is increasingly expected for primitives intended for Layer 1 blockchains, rollups, or multi-signature protocols involving large validator sets.
conclusion-next-steps
REVIEW PROCESS
Conclusion and Next Steps
This guide has outlined a structured approach for evaluating cryptographic signature scheme proposals. The next step is to apply this framework to real-world specifications.
A thorough review of a signature scheme proposal requires a multi-layered analysis. You should start by verifying the formal security proofs against standard models like the Random Oracle Model (ROM) or the Algebraic Group Model (AGM). Next, scrutinize the implementation details for side-channel vulnerabilities and ensure constant-time execution. Finally, assess the proposal's practical cryptographic agility—does it support key derivation, batch verification, or non-malleability? A scheme like BLS12-381, for instance, is favored for its aggregation properties, which are critical for blockchain scalability.
To put this into practice, begin with existing proposals from standards bodies like the IETF or NIST. For example, examine the RFC 9380 specification for hash-to-curve algorithms, a foundational component for many post-quantum and pairing-based schemes. Create a checklist based on the criteria discussed: - Security assumptions and reductions - Performance benchmarks across different platforms - Compatibility with existing protocol frameworks like TLS 1.3 or Ethereum's EIP-4844. Testing a prototype implementation against a known vectors test suite is a non-negotiable step for validating correctness.
The field of cryptographic signatures is rapidly evolving with the advent of post-quantum cryptography (PQC). Stay engaged with ongoing standardization efforts, particularly NIST's PQC project for digital signatures. Follow discussions in research forums like the IETF CFRG mailing list and review academic papers from conferences like CRYPTO and Eurocrypt. Contributing to open-source implementations, such as those in the Apache Milagro Crypto Library or the Rust arkworks ecosystem, provides invaluable hands-on experience and helps strengthen the security of the entire Web3 infrastructure.