94 lines
4.0 KiB
HTML
94 lines
4.0 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE> [BLS-wg] New algorithm for aggregating BLS signatures
|
|
</TITLE>
|
|
<LINK REL="Index" HREF="/pipermail/bls-wg/2018/index.html" >
|
|
<LINK REL="made" HREF="mailto:bls-wg%40lists.zfnd.org?Subject=Re%3A%20%5BBLS-wg%5D%20New%20algorithm%20for%20aggregating%20BLS%20signatures&In-Reply-To=%3CCAHUJnBC%2B1ZAeVDcLaPFYq-%2BybyvfFs7oYJXWjMD6Ae5FE34BTg%40mail.gmail.com%3E">
|
|
<META NAME="robots" CONTENT="index,nofollow">
|
|
<style type="text/css">
|
|
pre {
|
|
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
|
|
}
|
|
</style>
|
|
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
|
<LINK REL="Previous" HREF="000006.html">
|
|
|
|
</HEAD>
|
|
<BODY BGCOLOR="#ffffff">
|
|
<H1>[BLS-wg] New algorithm for aggregating BLS signatures</H1>
|
|
<B>Bram Cohen</B>
|
|
<A HREF="mailto:bls-wg%40lists.zfnd.org?Subject=Re%3A%20%5BBLS-wg%5D%20New%20algorithm%20for%20aggregating%20BLS%20signatures&In-Reply-To=%3CCAHUJnBC%2B1ZAeVDcLaPFYq-%2BybyvfFs7oYJXWjMD6Ae5FE34BTg%40mail.gmail.com%3E"
|
|
TITLE="[BLS-wg] New algorithm for aggregating BLS signatures">bram at chia.net
|
|
</A><BR>
|
|
<I>Mon Mar 26 16:50:05 EDT 2018</I>
|
|
<P><UL>
|
|
<LI>Previous message (by thread): <A HREF="000006.html">[BLS-wg] New algorithm for aggregating BLS signatures
|
|
</A></li>
|
|
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#7">[ date ]</a>
|
|
<a href="thread.html#7">[ thread ]</a>
|
|
<a href="subject.html#7">[ subject ]</a>
|
|
<a href="author.html#7">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
<HR>
|
|
<!--beginarticle-->
|
|
<PRE>I pointed Dan Boneh to this post and he said:
|
|
|
|
|
|
Excellent. Great to see that they are reading it. The comment is correct
|
|
... that is the right way to interpret the batch verification formula.
|
|
|
|
On Sun, Mar 25, 2018 at 11:05 PM, Sean Bowe <<A HREF="/mailman/listinfo/bls-wg">sean at z.cash</A>> wrote:
|
|
|
|
><i> Thanks for posting, looks cool!
|
|
</I>><i>
|
|
</I>><i> I noticed that the batch verification technique proposed in Dan's note
|
|
</I>><i> encourages you to perform the random exponentiations on the pairing
|
|
</I>><i> products, but in practice it's probably more efficient for you to
|
|
</I>><i> apply them as scalar multiplications to the aggregated public keys
|
|
</I>><i> prior to the pairings. That is,
|
|
</I>><i>
|
|
</I>><i> e(g_1, sigma) = e(apk_1 * rho_1, H_0(m_1)) *** e(apk_b * rho_b, H_0(m_b))
|
|
</I>><i>
|
|
</I>><i> Or, you could also apply it to the G2 element by combining it with the
|
|
</I>><i> G2 cofactor multiplication you have to do anyway as a result of
|
|
</I>><i> hashing to the group. (The G2 cofactor is quite large, so it may pay
|
|
</I>><i> off if you're doing windowed exponentiation.)
|
|
</I>><i>
|
|
</I>><i> Sean
|
|
</I>><i>
|
|
</I>><i> On Sat, Mar 24, 2018 at 9:40 PM, Bram Cohen via bls-wg
|
|
</I>><i> <<A HREF="/mailman/listinfo/bls-wg">bls-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>><i> > Dan Boneh came up with a new approach for aggregating BLS signatures
|
|
</I>><i> which
|
|
</I>><i> > allows keys to be aggregated as well as signatures. We're going to be
|
|
</I>><i> > implementing this:
|
|
</I>><i> >
|
|
</I>><i> > <A HREF="https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html">https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html</A>
|
|
</I>><i>
|
|
</I>
|
|
</PRE>
|
|
|
|
<!--endarticle-->
|
|
<HR>
|
|
<P><UL>
|
|
<!--threads-->
|
|
<LI>Previous message (by thread): <A HREF="000006.html">[BLS-wg] New algorithm for aggregating BLS signatures
|
|
</A></li>
|
|
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#7">[ date ]</a>
|
|
<a href="thread.html#7">[ thread ]</a>
|
|
<a href="subject.html#7">[ subject ]</a>
|
|
<a href="author.html#7">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
|
|
<hr>
|
|
<a href="/mailman/listinfo/bls-wg">More information about the bls-wg
|
|
mailing list</a><br>
|
|
</body></html>
|