BLS Multi-Signatures With Public-Key Aggregation

Authors: D. Boneh, M. Drijvers, and G. Neven

This short note describes a simple approach for aggregating many BLS signatures on a common message, so that verifying the short multi-signature is fast. Moreover, the system supports public key aggregation, where the verification algorithm only uses a short aggregated public key. The original public keys are not needed for verifying the multi-signature. An important property of the construction is that the scheme is secure against a rogue public-key attack without requiring users to prove knowledge of their secret keys (this is sometimes called the plain public-key model). The construction builds upon the work of Bellare and Neven, and the recent work of Maxwell, Poelstra, Seurin, and Wuille.

web note

Full paper: html

Related papers: The full version of this work titled Multi-signature schemes for Bitcoin is currently under review.