BLS signature aggregation definitions

Consider a bilinear pairing

e:G0ร—G1โ†’GTe : G_0 ร— G_1 โ†’ G_T

which is efficiently computable, non-degenerate, and all three groups have prime order q, and g0 โˆˆ G0 and g1 โˆˆ G1 are generators. Let

H0:Mโ†’G0H_0 : M โ†’ G_0

be a Hash function treated as a random oracle.

Then the BLS signature scheme using the following definitions:

KeyGen(): choose ฮฑ โ† Zq randomly, let h โ† g ฮฑ 1 โˆˆ G1, output pk := (h), sk := (ฮฑ). Sign(sk,m): output ฯƒ โ† H0(m) ฮฑ โˆˆ G0 Verify(pk,m,ฯƒ): if e(g1, ฯƒ) = e(pk, H0(m)) output accept, otherwise reject. With triples (pki , mi , ฯƒi) for 1 โ‰ค i โ‰ค n, anyone can aggregate the signatures ฯƒ1, ..., ฯƒn โˆˆ G0 into a short convincing aggregate signature ฯƒ by computing

ฯƒโ†ฯƒ1โ‹…โ‹…โ‹…ฯƒnโˆˆG0.ฯƒ โ† ฯƒ_1 ยท ยท ยท ฯƒ_n โˆˆ G_0.

Verifying an aggregate signature ฯƒ โˆˆ G_0 is done by checking that the following condition is satisfied:

e(g1,ฯƒ)=e(pk1,H0(m1))โ‹…โ‹…โ‹…e(pkn,H0(mn)).e(g_1, ฯƒ) = e(pk_1, H_0(m_1)) ยท ยท ยท e(pk_n, H_0(m_n)).

Last updated