BLS signature aggregation definitions

Consider a bilinear pairing

e : G_0 × G_1 → G_T

which is efficiently computable, non-degenerate, and all three groups have prime order q, and g0 ∈ G0 and g1 ∈ G1 are generators. Let

H_0 : M → G_0

be a Hash function treated as a random oracle.

Then the BLS signature scheme using the following definitions:

KeyGen(): choose α ← Zq randomly, let h ← g α 1 ∈ G1, output pk := (h), sk := (α). Sign(sk,m): output σ ← H0(m) α ∈ G0 Verify(pk,m,σ): if e(g1, σ) = e(pk, H0(m)) output accept, otherwise reject. With triples (pki , mi , σi) for 1 ≤ i ≤ n, anyone can aggregate the signatures σ1, ..., σn ∈ G0 into a short convincing aggregate signature σ by computing

σ ← σ_1 · · · σ_n ∈ G_0.

Verifying an aggregate signature σ ∈ G_0 is done by checking that the following condition is satisfied:

e(g_1, σ) = e(pk_1, H_0(m_1)) · · · e(pk_n, H_0(m_n)).

PreviousMultisig Security NextProving security definition references

Last updated 1 year ago