Open Shimuuar opened 4 years ago
This is schema was created later and protects against rogue key attacks, but requires that each signer signs same message, key generation is done in same way, but signing is different. Let assume that we have set of signers with key pairs (pk[i], sk[i])
. In addition we'll need hash function H1 : {0,1}^*→Z/p
a[i] = H1(pk[i], {pk[1] .. pk[n]})
σ[i] = H0(m)^{a[i]·sk[i]}
σ = Π σ[i]
apk = Π pk[i]^a[i]
e(σ,g2^{-1}) e(H0(m), apk) = 1
Note that it's possible to aggregate signature made using previous method (σ[i]=H0(m)^sk[i]
). Using σ=Π σ[i]^a[i]
. It also allows to aggregate signatures without known set of signers in advance. AFAIR this is how bls library works.
Downside of this schema is that it requires that everyone signs same message
What all that means from API design PoV?
We need to create high level safe to use API for BLS signatures and their aggregation. It doesn't lend itself for typeclass-based API easily so it's probably better to write monomorphic one. Thing are made more difficult by fact that there're 3 (!) aggregation schemes with different tradeoffs.
Here is brief summary of scheme. We have two groups of prime order
p
:G1
,G2
with generatorg1
andg2
respectively; bilinear mappinge : (G1×G2) → GT
(GT
is group of prime order as well) and group generator; hash functionH0 : {0,1}^* → G1
Basic signature scheme
sk
← random fromZ/p
pk = g2^sk
σ = H0(m)^sk : G1
e(σ,g2) = e(H0(m), pk)
Simple key aggregation
If we have set of triples
(m[i], σ[i], pk[i])
we can generate aggregate signature and aggregate public key:apk = Π pk[i]
σ = Π σ[i]
e(σ, g2) = e(H0(m[1], pk[1]) ... e(H0(m[n], pk[n])
e(σ, g2) = e(H(m), apk)
Note that aggregation scheme is susceptible to rogue key attack. Let consider following: Alice has public key
pk1
. Attack works as follows:pk2 = g2^α·pk1^{-1}
, whereα : Z/p
is chosen by attacker.m
and its signatureσ=H0(m)^α
e(σ,g2) = e(H0(m)^α, g2) = e(H0(m), g2^α) = e(H0(m), pk1·pk2)
. Therefore is able to forge signature of Alice without Alice signing anythingThere're two defenses against this attack:
pk2 = g2^α·pk1^{-1}
!