mailman-lists-archive/pipermail/bls-wg/2018/000007.html

94 lines
4.0 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [BLS-wg] New algorithm for aggregating BLS signatures
</TITLE>
<LINK REL="Index" HREF="/pipermail/bls-wg/2018/index.html" >
<LINK REL="made" HREF="mailto:bls-wg%40lists.zfnd.org?Subject=Re%3A%20%5BBLS-wg%5D%20New%20algorithm%20for%20aggregating%20BLS%20signatures&In-Reply-To=%3CCAHUJnBC%2B1ZAeVDcLaPFYq-%2BybyvfFs7oYJXWjMD6Ae5FE34BTg%40mail.gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000006.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[BLS-wg] New algorithm for aggregating BLS signatures</H1>
<B>Bram Cohen</B>
<A HREF="mailto:bls-wg%40lists.zfnd.org?Subject=Re%3A%20%5BBLS-wg%5D%20New%20algorithm%20for%20aggregating%20BLS%20signatures&In-Reply-To=%3CCAHUJnBC%2B1ZAeVDcLaPFYq-%2BybyvfFs7oYJXWjMD6Ae5FE34BTg%40mail.gmail.com%3E"
TITLE="[BLS-wg] New algorithm for aggregating BLS signatures">bram at chia.net
</A><BR>
<I>Mon Mar 26 16:50:05 EDT 2018</I>
<P><UL>
<LI>Previous message (by thread): <A HREF="000006.html">[BLS-wg] New algorithm for aggregating BLS signatures
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7">[ date ]</a>
<a href="thread.html#7">[ thread ]</a>
<a href="subject.html#7">[ subject ]</a>
<a href="author.html#7">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>I pointed Dan Boneh to this post and he said:
Excellent. Great to see that they are reading it. The comment is correct
... that is the right way to interpret the batch verification formula.
On Sun, Mar 25, 2018 at 11:05 PM, Sean Bowe &lt;<A HREF="/mailman/listinfo/bls-wg">sean at z.cash</A>&gt; wrote:
&gt;<i> Thanks for posting, looks cool!
</I>&gt;<i>
</I>&gt;<i> I noticed that the batch verification technique proposed in Dan's note
</I>&gt;<i> encourages you to perform the random exponentiations on the pairing
</I>&gt;<i> products, but in practice it's probably more efficient for you to
</I>&gt;<i> apply them as scalar multiplications to the aggregated public keys
</I>&gt;<i> prior to the pairings. That is,
</I>&gt;<i>
</I>&gt;<i> e(g_1, sigma) = e(apk_1 * rho_1, H_0(m_1)) *** e(apk_b * rho_b, H_0(m_b))
</I>&gt;<i>
</I>&gt;<i> Or, you could also apply it to the G2 element by combining it with the
</I>&gt;<i> G2 cofactor multiplication you have to do anyway as a result of
</I>&gt;<i> hashing to the group. (The G2 cofactor is quite large, so it may pay
</I>&gt;<i> off if you're doing windowed exponentiation.)
</I>&gt;<i>
</I>&gt;<i> Sean
</I>&gt;<i>
</I>&gt;<i> On Sat, Mar 24, 2018 at 9:40 PM, Bram Cohen via bls-wg
</I>&gt;<i> &lt;<A HREF="/mailman/listinfo/bls-wg">bls-wg at lists.z.cash.foundation</A>&gt; wrote:
</I>&gt;<i> &gt; Dan Boneh came up with a new approach for aggregating BLS signatures
</I>&gt;<i> which
</I>&gt;<i> &gt; allows keys to be aggregated as well as signatures. We're going to be
</I>&gt;<i> &gt; implementing this:
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; <A HREF="https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html">https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html</A>
</I>&gt;<i>
</I>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message (by thread): <A HREF="000006.html">[BLS-wg] New algorithm for aggregating BLS signatures
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7">[ date ]</a>
<a href="thread.html#7">[ thread ]</a>
<a href="subject.html#7">[ subject ]</a>
<a href="author.html#7">[ author ]</a>
</LI>
</UL>
<hr>
<a href="/mailman/listinfo/bls-wg">More information about the bls-wg
mailing list</a><br>
</body></html>