Chapter status: ✅ in good shape ✅

Related puzzles: Puzzle 1

TODO:

add details about hashing into groups

write a more rigorous game-based proof for BLS

write the security proof for aggregate BLS signatures

BLS Signatures

The BLS signature scheme was proposed by Boneh, Lynn, and Shacham [BLS01] (see also the corresponding journal paper [BLS04] and the IETF draft) and was one of the first applications of pairings to cryptography (shortly after tripartite Diffie-Hellman and identity-based encryption). Note that the BLS initialism can refer to two different things in cryptography: Boneh-Lynn-Shacham signatures discussed in this chapter and Barreto-Lynn-Scott curves, a family of pairing-friendly elliptic curves. It is possible to implement BLS (signatures) on BLS (curves).

Description of BLS
Security of BLS
- Security Proof
- Discussion
Signature Aggregation
A Note about Non-Repudiation
Further Topics to Cover

Description of BLS

For the general syntax and the EUF-CMA security definition, refer to the corresponding chapter.

Let $PairingSetup$ be a pairing group setup algorithm. The BLS signature scheme is defined as follows:

The $Setup$ algorithm, on input the security parameter $1^{λ},$ runs $(G_{1}, G_{2}, G_{t}, r, e) \leftarrow PairingSetup (1^{λ})$ and draws a random generator $G_{2}$ of $G_{2} .$ It also specifies a hash function $H : {0, 1}^{*} \to G_{1}$ mapping bit strings to group elements in $G_{1} .$ The public parameters consist of the tuple $p a r = (G_{1}, G_{2}, G_{t}, r, e, G_{2}, H) .$
The key generation algorithm $KeyGen$ draws a random scalar $x \leftarrow_{$} Z_{r}$ and computes the point $X = x G_{2}$ on curve $G_{2};$ the secret key is $x$ and the public key is $X .$
The signature algorithm $Sign,$ on input a secret key $x$ and a message $m,$ computes the point $S = x H (m)$ on curve $G_{1};$ the signature is $S .$
The verification algorithm, on input a public key $X,$ a message $m,$ and a signature $S,$ returns 1 (i.e., declares the signature valid) if $e (S, G_{2}) = e (H (m), X), (17.1)$ otherwise it returns 0 (invalid signature).

A good way to think about BLS signatures is as follows: given a message $m$ with corresponding point $H (m)$ in $G_{1},$ the signature of $m$ is the point $S$ such that the discrete logarithm of $S$ in base $H (m)$ is equal to the discrete logarithm of $X$ in base $G_{2}$ (that is, the secret key $x) .$ This is reminiscent of the Chaum-Antwerpen undeniable signature scheme [CA89]. Checking discrete logarithm equality is exactly what the pairing $e$ enables to do efficiently.

Note that the signature algorithm is deterministic and hence always returns the same signature for a given secret key/message pair; this is called a unique signature scheme.

The roles of $G_{1}$ and $G_{2}$ can be swapped, in which case public keys are in $G_{1}$ and signatures in $G_{2}$ (recall that bit string representations of elements are larger and arithmetic is less efficient for $G_{2}$ than for $G_{1},$ so the choice depends on what is more important to optimize depending on the use case). In that case, the hash function must have outputs in $G_{2}$ and hence this is not possible with a type-2 pairing.

The scheme is correct, meaning that for every key pair $(x, X)$ possibly output by the key generation algorithm and every message $m,$ the signature $S$ computed by the signature algorithm is declared valid by the verification algorithm. Indeed, $e (S, G_{2}) = e (x H (m), G_{2}) = e (H (m), G_{2})^{x} = e (H (m), x G_{2}) = e (H (m), X),$ hence Eq. (17.1) is satisfied.

Security of BLS

Security Proof

The BLS scheme is provably EUF-CMA-secure assuming the so-called co-CDH $^{*}$ problem is hard for $(G_{1}, G_{2})$ and modeling the hash function $H$ as a random oracle. The co-CDH $^{*}$ problem for two groups $G_{1}$ and $G_{2}$ of order $r$ is defined as follows: given random generators $G_{1}$ and $G_{2}$ of $G_{1}$ and $G_{2}$ respectively, $X_{1} = x G_{1}$ and $X_{2} = x G_{2}$ for $x \leftarrow_{$} Z_{r},$ and a random group element $Y \in G_{1},$ compute $x Y .$ This might be thought of as CDH in $G_{1}$ with additional "hint" $(G_{2}, X_{2} = x G_{2}) \in G_{2}^{2} .$

Theorem 17.1. Assume that the co-CDH $^{*}$ problem is hard for $PairingSetup .$ Then the BLS signature scheme is EUF-CMA-secure in the random oracle model for $H .$ More precisely, for any adversary $A$ against the EUF-CMA security of BLS making at most $q_{h}$ random oracle queries and $q_{s}$ signature queries, there exists an adversary $B$ for the co-CDH $^{*}$ problem running in time similar to the time of $A$ and such that $Adv_{A}^{euf-cma} (λ) = (q_{h} + 1) Adv_{B}^{co-cdh^{*}} (λ) .$

Proof

Let $A$ be an adversary against the EUF-CMA security of BLS making at most $q_{h}$ random oracle queries and $q_{s}$ signature queries. From $A,$ one can easily construct an adversary $A^{'}$ having the same advantage as $A$ and such that (i) $A^{'}$ always makes the random oracle query $H (m^{*})$ before returning its forgery $(m^{*}, S^{*})$ and (ii) $A^{'}$ makes exactly $q_{h} + 1$ random oracle queries. From now one, we assume that $A$ satisfies properties (i) and (ii).

We construct an adversary $B$ for the co-CDH $^{*}$ problem as follows. $B$ takes as input pairing group parameters $p g p a r = (G_{1}, G_{2}, G_{t}, r, e)$ and a co-CDH $^{*}$ instance $(G_{1}, X_{1}, G_{2}, X_{2}, Y)$ with $X_{1} = x G_{1}$ and $X_{2} = x G_{2} .$ It runs $A$ on input BLS parameters $(G_{1}, G_{2}, G_{t}, r, e, G_{2}, H)$ where $H$ is the interface to the random oracle (that $B$ will simulate) and public key $X_{2} .$ At the beginning of the simulation, $B$ draws a random integer $i^{*} \leftarrow_{$} {1, \dots, q_{h} + 1}$ and initializes a table $T$ for storing answers of the simulated random oracle $H .$ When $A$ makes a random oracle query $H (m)$ such that $T (m)$ has not been defined yet, $B$ either draws $ρ_{i} \leftarrow_{$} Z_{r}$ and returns $T (m) : = ρ_{i} G_{1}$ if this is the $i$ -th query, $i \neq = i^{*},$ or returns $T (m) : = Y$ if this is the $i^{*}$ -th query. When $A$ makes a signing query $Sign (m),$ then:

if $T (m)$ is undefined, then $B$ draws $ρ \leftarrow_{$} Z_{r},$ sets $T (m) : = ρ G_{1},$ and returns the signature $S : = ρ X_{1};$ note that this signature is valid since $S = ρ x G_{1} = x T (m);$
if $T (m)$ has already been defined, this was necessarily during the query $H (m)$ made by $A;$ if this was the $i$ -th query, $i \neq = i^{*},$ then $B$ returns the signature $S : = ρ_{i} X_{1};$ again, this signature is valid since $S = ρ_{i} x G_{1} = x T (m);$ otherwise, if $T (m)$ was defined by the $i^{*}$ -th query, then $B$ aborts the simulation of the game and returns $⊥.$

Eventually, when $A$ halts and returns its forgery $(m^{*}, S^{*}),$ three cases can occur (recall that by assumption $A$ made the random oracle query $H (m^{*}),$ hence $T (m^{*})$ is necessarily defined):

if $(m^{*}, S^{*})$ is not a valid forgery (either because $m^{*}$ was queried to the sign oracle or because the signature is invalid), then $B$ returns $⊥;$
if $(m^{*}, S^{*})$ is a valid forgery and $T (m^{*})$ was defined during the $i$ -th query to the random oracle, $i \neq = i^{*},$ the $B$ returns $⊥;$
if $(m^{*}, S^{*})$ is a valid forgery and $T (m^{*})$ was defined during the $i^{*}$ -th query to the random oracle, then $B$ returns $S^{*}$ as solution to the co-CDH $^{*}$ instance.

In the third case, one can easily check that $S^{*}$ is the correct solution since $T (m^{*})$ was defined as $Y$ so that $S^{*} = x T (m^{*}) = x Y .$ Moreover, conditioned on $A$ being successful, the view of $A$ is independent from $i^{*}$ and hence the third case occurs with probability $1/ (q_{h} + 1) .$ Hence, $Adv_{B}^{co-cdh^{*}} (λ) = \frac{1}{q _{h} + 1} Adv_{A}^{euf-cma} (λ) .$

This reduction loses a factor roughly $q_{h}$ in its success probability. One can obtain a better reduction losing a factor $q_{s}$ by using a slightly more careful strategy for "embedding" the challenge $Y$ in the random oracle answers, see Section 15.5.1 of the Boneh-Shoup textbook.

Discussion

The various statements and proofs of the security of BLS signatures in the literature can be confusing. The security theorem that we just proved holds for any pairing group setup algorithm. However, depending on the pairing type, it can be rephrased slightly differently.

The original conference paper [BLS01] was only considering symmetric (a.k.a. type-1) pairings (i.e., $G_{1} = G_{2} = G)$ and proved EUF-CMA security assuming the CDH problem in $G$ is hard. Theorem 17.1 implies this specific case since for type-1 pairings, hardness of co-CDH $^{*}$ is equivalent to hardness of CDH in $G,$ as we prove now.

Proposition 17.1. Let $PairingSetup$ be a type-1 pairing group setup algorithm. Then co-CDH $^{*}$ $\equiv$ CDH.

Proof

One the one hand, co-CDH $^{*}$ $≦$ CDH is trivial. On the other hand, CDH $≦$ co-CDH $^{*}$ can be proved as follows. Let $A$ be an algorithm for the co-CDH $^{*}$ problem. We construct an algorithm $B$ for solving CDH as follows. On input $(G_{1}, X_{1} = x G_{1}, Y) \in G^{3},$ $B$ draws a random value $ρ \leftarrow_{$} Z_{r} ∖ {0}$ and computes $G_{2} : = ρ G_{1}$ and $X_{2} : = ρ X_{1} .$ Then $X_{2} = ρ x G_{1} = x G_{2}$ and $G_{2}$ is distributed uniformly in $G ∖ {0}$ and independently from $G_{1} .$ Hence, $(G_{1}, X_{1}, G_{2}, X_{2}, Y)$ is a correctly distributed instance of co-CDH $^{*}$ that $B$ can pass as input to $A .$ The solution $x Y$ of this co-CDH $^{*}$ instance is also the solution to the original CDH instance. Hence, the advantage of $B$ is equal to the advantage of $A .$

Later, the journal paper [BLS04] considered asymmetric pairings ( $G_{1} \neq = G_{2})$ for which an efficiently computable group isomorphism $ψ$ from $G_{2}$ to $G_{1}$ is available (i.e., a type-2 pairing) and proved security assuming the co-CDH problem is hard.¹ The co-CDH problem is similar to the co-CDH $^{*}$ problem except the adversary is only given $G_{2} \in G_{2},$ $X_{2} = x G_{2},$ and $Y \in G_{1},$ and must compute $x Y .$ Again, Theorem 17.1 implies this specific case since for type-2 pairings, co-CDH $^{*}$ is equivalent to co-CDH.

Proposition 17.2. Let $PairingSetup$ be a type-2 pairing group setup algorithm. Then co-CDH $^{*}$ $\equiv$ co-CDH.

Proof

On the one hand, co-CDH $^{*}$ $≦$ co-CDH is straightforward. Conversely, one can prove that co-CDH $≦$ co-CDH $^{*}$ as follows. Let $A$ be an adversary for the co-CDH $^{*}$ problem. We construct an adversary $B$ for the co-CDH problem as follows. On input $(G_{2}, X_{2} = x G_{2}, Y) \in G_{2}^{2} \times G_{1},$ $B$ draws a random value $ρ \leftarrow_{$} Z_{r} ∖ {0}$ and computes $G_{1} : = ψ (ρ G_{2})$ and $X_{1} : = ψ (ρ X_{2}) .$ Then $X_{1} = ψ (ρ x G_{2}) = x ψ (ρ G_{2}) = x G_{1}$ and $G_{1}$ is distributed uniformly in $G_{1} ∖ {0}$ and independently from $G_{2} .$ Hence, $(G_{1}, X_{1}, G_{2}, X_{2}, Y)$ is a correctly distributed instance of co-CDH $^{*}$ that $B$ can pass as input to $A .$ The solution $x Y$ of this co-CDH $^{*}$ instance is also the solution to the original co-CDH instance. Hence, the advantage of $B$ is equal to the advantage of $A .$

Interestingly, [BLS04] gives an example of type-3 pairing group setup algorithm (i.e., such that no efficiently computable isomorphism from $G_{2}$ to $G_{1}$ is known) for which co-CDH is conjectured to be hard but BLS over this pairing group setup algorithm is insecure. Let $G_{2} = G_{t}$ be a subgroup of order $r$ of the multiplicative group $Z_{p}^{*},$ let $G_{1}$ be the additive group $Z_{r},$ and let $e : G_{1} \times G_{2} \to G_{2}$ be defined as $e (x, y) = y^{x} .$ Note that DL is easy in $G_{1},$ which implies that DL in $G_{2}$ reduces to co-CDH (an algorithm solving co-CDH returns $x Y,$ which allows to solve for $x$ by computing the discrete log of $x Y$ in base $Y$ in $G_{1}) .$ As DL in $G_{2}$ is conjectured hard for sufficiently large $p$ and $r,$ co-CDH is conjectured hard for $(G_{1}, G_{2})$ for such parameters as well. Hence, maybe counter-intuitively, hardness of co-CDH does not necessarily imply hardness of DL in $G_{1}$ ! On the other hand, DL being easy in $G_{1}$ implies that BLS is not EUF-CMA-secure. This shows the necessity of the stronger co-CDH $^{*}$ assumption for proving the security of BLS for type-3 pairings. For type-2 pairings, hardness of co-CDH does imply hardness of DL in $G_{2}$ (obviously) but also in $G_{1},$ as shown by the following proposition.

Proposition 17.3. Let $PairingSetup$ be a type-2 pairing group setup algorithm. Then $co-CDH ≦ CDH_{G_{1}} ≦ DL_{G_{1}} .$

Proof

That CDH $_{G_{1}}$ $≦$ DL $_{G_{1}}$ is clear. Let us show that co-CDH $≦$ CDH $_{G_{1}} .$ Let $A$ be an algorithm for solving CDH in $G_{1} .$ We construct an algorithm $B$ for the co-CDH problem as follows. On input $(G_{2}, X_{2} = x G_{2}, Y) \in G_{2}^{2} \times G_{1},$ $B$ computes $G_{1} : = ψ (G_{2})$ and $X_{1} : = ψ (X_{2}) .$ Then $(G_{1}, X_{1}, Y)$ is a correctly distributed CDH instance that $B$ can pass as input to $A .$ The solution $x Y$ of this CDH instance is also a solution of the original co-CDH instance. Hence, the advantage of $B$ is equal to the advantage of $A .$

To finish, we note that hardness of co-CDH $^{*}$ is actually equivalent to EUF-CMA-security of BLS (even for a type-3 pairing where no efficiently computable isomorphism $ψ : G_{2} \to G_{1}$ is known). Indeed, given an algorithm $A$ solving co-CDH $^{*},$ one can construct an adversary $B$ breaking BLS as follows. Given $G_{2}$ and a public key $X_{2} = x G_{2},$ $B$ makes queries $G_{1} : = H (m)$ and $X_{1} : = Sign (m)$ for an arbitrary message $m .$ Note that $X_{1} = x G_{1} .$ Then it chooses an arbitrary message $m^{*} \neq = m$ and queries $Y : = H (m^{*}) .$ It runs $A$ on input $(G_{1}, X_{1}, G_{2}, X_{2}, Y)$ which is a correctly distributed co-CDH $^{*}$ challenge, unless $G_{1} = 0$ which happens with negligible probability. If $A$ returns the correct answer $S^{*} = x Y$ to this co-CDH $^{*}$ challenge, then $(m^{*}, S^{*})$ is a valid forgery.

This equivalence holds because we considered the "random generator" variant of co-CDH $^{*}$ where $G_{1}$ and $G_{2}$ are drawn at random. As noted in [CHKM10], for type-3 pairings, it is not known whether breaking EUF-CMA-security of BLS reduces to the "fixed generator" variant of co-CDH $^{*}$ where $G_{1}$ and $G_{2}$ are fixed (the previous reduction does not work anymore since there is only a negligible chance to "hit" the fixed generator $G_{1}$ when making queries $H (m)) .$

The following figure summarizes the above results (a double-arrow between two problems meaning equivalence):

graph TD;
    A(CDH) <-- type-1 --> C(co-CDH*);
    B(co-CDH) <-- type-2 --> C;
    C <-- type-1/2/3 --> D(EUF-CMA-sec of BLS);

Note that the notion of type-1/2/3 pairing was only introduced in 2008 [GPS08], a few years after the journal version of the BLS paper [BLS04]. For more discussion about type-2/type-3 pairings and the consequences of an efficiently computable isomorphism $ψ : G_{2} \to G_{1}$ in security proofs of pairing-based schemes, see [SV07], [CHKM10], and [CM09].

Signature Aggregation

BLS signatures have a handy property: they can be aggregated non-interactively [BGLS03]. This means that given $n$ signature $σ_{i}$ for respective public key/message pairs $(p k_{i}, m_{i}),$ $0 \leq i \leq n - 1,$ it is possible to compute a compact aggregate signature $σ$ (of size similar to the one of a single signature) that proves that message $m_{i}$ was signed by the owner of public key $p k_{i}$ for every $i \in {0, \dots, n - 1}$ (exactly as the tuple $(σ_{0}, \dots, σ_{n - 1})$ would).

To turn BLS into an aggregate signature scheme, the aggregate signature for a tuple $(S_{0}, \dots, S_{n - 1}) \in G_{1}^{n}$ of $n$ signatures is simply defined as the sum of all signatures $S_{i} :$ $S : = i = 0 \sum n - 1 S_{i} .$ Note that aggregation can be performed "publicly" by an untrusted party different from all signers. It can also be performed "incrementally", meaning new signatures can be aggregated to an aggregate signature. One can even aggregate aggregate signatures (sic). The only requirement is to keep track of all public key/message pairs the signatures of which have been aggregated.

Given $n$ public key/message pairs $(X_{i}, m_{i}),$ $0 \leq i \leq n - 1,$ an aggregate signature $S$ is valid for these $n$ pairs if $e (S, G_{2}) = i = 0 \prod n - 1 e (H (m_{i}), X_{i}) . (17.2)$ Even though the size of the aggregate signature is $O (1),$ the complexity of verification still scales linearly with the number of signatures. Correctness of the scheme can be verified similarly to standard BLS signatures.

The EUF-CMA security notion can easily be adapted to aggregate signature schemes: no polynomial-time adversary, being given a target public key $p k^{*}$ and having access to a standard signature oracle for the corresponding secret key $s k^{*}$ (i.e., returning non-aggregate signatures), should be able to return an $n$ -tuple of public key/message pairs $((p k_{0}, m_{0}), \dots, (p k_{n - 1}, m_{n - 1}))$ and an aggregate signature $σ$ such that:

$p k_{i} = p k^{*}$ for some $i \in {0, \dots, n - 1},$
$m_{i}$ was not queried to the signature oracle,
$σ$ is valid for the tuple $((p k_{0}, m_{0}), \dots, (p k_{n - 1}, m_{n - 1})) .$

Note that the adversary can choose extra public keys $p k_{j}$ as it wishes, in particular as a function of the target public key $p k^{*} .$

BLS aggregate signatures are provably EUF-CMA-secure assuming hardness of the $ψ$ -co-CDH problem and modeling the hash function $H$ as a random oracle. There is one caveat though: messages must be distinct, otherwise a so-called rogue key attack is possible. To see why, say the adversary is given a target public key $X^{*} \in G_{2} .$ Then it can draw $y \leftarrow_{$} Z_{r}$ and compute a second public key $X^{'} : = y G_{2} - X^{*} .$ Now, for any message $m,$ the adversary can compute a forgery for the pair $((X^{*}, m), (X^{'}, m))$ as $S : = yH (m) .$ This forgery satisfies the verification equation as $e (H (m), X^{*}) \cdot e (H (m), X^{'}) = e (H (m), X^{*}) \cdot e (H (m), y G_{2} - X^{*}) = e (H (m), X^{*} + y G_{2} - X^{*}) = e (H (m), y G_{2}) = e (yH (m), G_{2}) = e (S, G_{2}) .$

Note that the adversary does not know the secret key $y - x^{*}$ corresponding to public key $X^{'} = y G_{2} - X^{*},$ hence the name "rogue key attack".

A simple fix against this attack is simply to prepend the public key to the message in the hash function, meaning a signature on message $m$ for secret/public key pair $(x, X)$ is redefined as $S : = x H (X ∥ m) .$ Then, the condition that messages should be different can safely be lifted [BNN07].

This, however, precludes an interesting optimization of the verification in case all messages are equal.² Indeed, when $m_{0} = m_{1} = \dots = m_{n - 1} = m,$ Eq. (17.2) simplifies to $e (S, G_{2}) = e (H (m), \sum_{i = 0}^{n - 1} X_{i}) . (17.3)$ Hence, on the right hand-side, instead of a product of $n$ pairings, we now have to compute a single pairing applied to a sum of $n$ elliptic curve points, which can be computed more efficiently.

In order to be able to use (17.3) for verification when messages are equal, a different fix can be used to thwart rogue key attacks. Namely, each user must provide a proof of possession (PoP) of the secret key associated with his public key. The notion of PoP is somewhat informal as, to the best of my knowledge, there is not rigorous definition of the security properties it should have. The idea is that it should demonstrate that the user has access to the functionality associated with his public key, namely signing. Hence, a simple PoP consists of the user signing its own public key, $π : = x H^{'} (X) .$ Intuitively, this makes sense since in a rogue key attack, the adversary cannot compute the secret key associated with the rogue public key (which it computes as a function of the target public key). This solution was proved secure assuming the hash function used for the PoP is different from the hash function used for actual message signing, which can be achieved from a single hash function by enforcing domain separation [RY07].

A Note about Non-Repudiation

Non-repudiation is often presented as a logical consequence of existential unforgeability (if no one except Alice can produce a valid signature on message $m,$ and a valid signature on message $m$ is presented to a judge, the judge should conclude that Alice actually did sign message $m) .$ But what if Alice was able to choose her secret/public key pair $(s k, p k)$ in a way that allows her to find two messages $m$ and $m^{'}$ and a signature $σ$ which is valid for both messages, i.e., $Verif (p k, m, σ) = Verif (p k, m^{'}, σ) = 1. (17.4)$ Then, confronted by the judge with a valid signature $σ$ for message $m,$ Alice could claim that she has in fact signed $m^{'}$ instead. Hence, non-repudiation should rather be seen as the combination of existential unforgeability with a second security notion, often called message biding in the literature, which demands that no malicious user be able to generate a public key $p k,$ two messages $m$ and $m^{'},$ and a signature $σ$ such that $m \neq = m^{'}$ and (17.4) holds.

It is easy to see that standard BLS signatures are message binding if $H$ is collision-resistant. Things are more subtle though when considering aggregate signatures [Qua21]. In particular, if $t \geq 2$ users collide (or if a single malicious user controls $t \geq 2$ public keys), they can arrange to choose their public keys $X_{0}, \dots, X_{t - 1}$ such that $X_{0} + \dots + X_{t - 1} = 0.$ Then, in the PoP-based variant of the scheme where Eq. (17.3) is used for verification, $S = 0$ is a valid signature for any message $m :$ the scheme is not message binding. Note that checking that $S \neq = 0$ in the verification algorithm does not thwart the attack as $S$ can be further aggregated with other valid signatures $S_{t}, \dots, S_{n - 1}$ for arbitrary public key/message pairs $(X_{t}, m_{t}),$ $\dots,$ $(X_{n - 1}, m_{n - 1}),$ resulting in an aggregate signature $S^{'} \neq = 0$ which still does not bound signers $0, \dots t - 1$ to a specific message.

Further Topics to Cover

BLS multi-signatures [BDN18]
BLS threshold signatures [BL22]
use of BLS signatures in the Ethereum beacon chain

1: Somehow confusingly, recent papers tend to use the name co-CDH for what we call co-CDH $^{*}$ here.

2: The setting where all users sign the exact same message requires a primitive slightly different from an aggregate signature scheme called a multisignature scheme.

Crypto Book (Work in Progress)

BLS Signatures

Contents

Description of BLS

Security of BLS

Security Proof

Discussion

Signature Aggregation

A Note about Non-Repudiation

Further Topics to Cover