Abstract
We propose a variant of the original Boneh, Drijvers, and Neven (Asiacrypt’18) BLS multi-signature aggregation scheme, which is best suited to applications where the full set of potential signers is fixed and known and any subset I of this group can create a multi-signature over a message m. This setup is very common in proof-of-stake blockchains where if you assume a total of 3f validators, a \(2f+1\) majority can sign transactions and/or blocks and is secure against rogue-key attacks without requiring a proof of key possession mechanism.
In our scheme, instead of randomizing the aggregated signatures, we have a one-time randomization phase of the public keys: each public key is replaced by a sticky randomized version (for which each participant can still compute the derived private key). The main benefit compared to the original Boneh et al. approach is that since our randomization process happens only once and not per signature we can have significant savings during aggregation and verification without requiring a proof of possession. Specifically, for a subset I of t signers, we save t exponentiations in \(\mathbb {G}_2\) at aggregation and t exponentiations in \(\mathbb {G}_1\) at verification or vice versa, depending on which BLS mode we prefer: minPK (public keys in \(\mathbb {G}_1\)) or minSig (signatures in \(\mathbb {G}_1\)).
Interestingly, our security proof requires a significant departure from the co-CDH based proof of Boneh et al. When n (size of the universal set of signers) is small, we prove our protocol secure in the Algebraic Group and Random Oracle models based on the hardness of the Discrete Log problem. For larger n, our proof also requires the Random Modular Subset Sum (RMSS) problem.
F. Garillot, M. Sedaghat and P. Waiwitlikhit—Work done at Mysten Labs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that aggregate signatures are a more general primitive, which as opposed to multi-signatures, allow the aggregation of n signatures of different messages in a short single signature.
- 2.
- 3.
- 4.
This is much preferable to the PoP approach as it avoids the need for zero-knowledge proofs (which includes prover/verifier costs as well as support for ZK from the underlying blockchain.
- 5.
In most cases, computing \(\textsf{pk}_i^\star \) does not need any secret, thus, this algorithm could be defined separately for \(\textsf{sk}\) and \(\textsf{pk}\).
- 6.
We proposed SMSKR in the minSig mode, it can easily be extended to minPK.
- 7.
The randomization of \(\textsf{pk}\) can happen by any third party – no secret required.
- 8.
Note that the sign algorithm uses an already randomized secret key (and thus there is no need to parse \(\textsf{PK}\) again.).
- 9.
- 10.
https://github.com/MystenLabs/research/tree/main/cryptography/ bls_aggregation_combinatorics.
- 11.
current number of validators is 800000 https://beaconscan.com/statistics.
- 12.
https://github.com/MystenLabs/fastcrypto, (6eb758ba78612e5e22a2748dd7a4b2c8b3724377).
- 13.
https://github.com/MystenLabs/fastcrypto/blob/mskr-bench/fastcrypto/src/mskr_bench.rs,(4d1bad60b6db5bfbb448d98d89a72cfaebab6e56).
References
Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 2008: 15th Conference on Computer and Communications Security, pp. 449–458. ACM Press, Alexandria, Virginia, USA (2008). https://doi.org/10.1145/1455770.1455827
Baldimtsi, F., et al.: Subset-optimized BLS multi-signature with key aggregation. Cryptology ePrint Archive, Paper 2023/498 (2023). https://eprint.iacr.org/2023/498
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006: 13th Conference on Computer and Communications Security, pp. 390–399. ACM Press, Alexandria, Virginia, USA (2006). https://doi.org/10.1145/1180405.1180453
bheisler: cargo-criterion. https://github.com/bheisler/cargo-criterion (2022)
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3
Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F. (eds.) ACM CCS 2007: 14th Conference on Computer and Communications Security, pp. 276–285. ACM Press, Alexandria, Virginia, USA (2007). https://doi.org/10.1145/1315245.1315280
Boneh, D., Drijvers, M., Neven, G.: Bls multi-signatures with public-key aggregation. https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html (2018)
Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for Smaller Blockchains. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 435–464. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_15
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Brickell, E.F.: Solving low density Knapsacks. In: Chaum, D. (ed.) Advances in Cryptology - CRYPTO’83, pp. 25–37. Plenum Press, New York, USA, Santa Barbara, CA, USA (1983)
Coster, M.J., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.P.: An improved low-density subset sum algorithm. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 54–67. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_4
Crites, E.C., Kohlweiss, M., Preneel, B., Sedaghat, M., Slamanig, D.: Threshold structure-preserving signatures. In: Guo, J., Steinfeld, R. (eds.) Advances in Cryptology - ASIACRYPT 2023 - 29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4-8, 2023, Proceedings, Part II. Lecture Notes in Computer Science, vol. 14439, pp. 348–382. Springer (2023). https://doi.org/10.1007/978-981-99-8724-5_11, https://doi.org/10.1007/978-981-99-8724-5_11
Crites, E.C., Komlo, C., Maller, M.: How to prove schnorr assuming schnorr: Security of multi- and threshold signatures. IACR Cryptol. ePrint Arch. 1375 (2021). https://eprint.iacr.org/2021/1375
Deirmentzoglou, E., Papakyriakopoulos, G., Patsakis, C.: A survey on long-range attacks for proof of stake protocols. IEEE Access 7, 28712–28725 (2019). https://doi.org/10.1109/ACCESS.2019.2901858, https://doi.org/10.1109/ACCESS.2019.2901858
Drake, J.: Pragmatic signature aggregation with BLS - Sharding (2018). https://ethresear.ch/t/pragmatic-signature-aggregation-with-bls/2105
Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy, pp. 1084–1101. IEEE Computer Society Press, San Francisco, CA, USA (2019). https://doi.org/10.1109/SP.2019.00050
Edginton, B.: Upgrading Ethereum. https://eth2book.info/bellatrix/
El Bansarkhani, R., Sturm, J.: An efficient lattice-based multisignature scheme with applications to bitcoins. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 140–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_9
Ethereum Core developers: Ethereum Proof-of-Stake Consensus Specifications. https://github.com/ethereum/consensus-specs
Frieze, A.M.: On the lagarias-odlyzko algorithm for the subset sum problem. SIAM J. Comput. 15(2), 536–539 (1986)
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2
Fukumitsu, M., Hasegawa, S.: A lattice-based provably secure multisignature scheme in quantum random oracle model. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds.) ProvSec 2020. LNCS, vol. 12505, pp. 45–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62576-4_3
Groth, J.: Non-interactive distributed key generation and key resharing (2021). https://eprint.iacr.org/2021/339, report Number: 339
Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptology 9(4), 199–216 (1996). https://doi.org/10.1007/BF00189260
Itakura, K.: A public-key cryptosystem suitable for digital multisignatures (1983)
Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. ACM (JACM) 32(1), 229–246 (1985)
Lindell, Y.: Simple three-round multiparty schnorr signing with full simulatability. IACR Cryptol. ePrint Arch. 374 (2022). https://eprint.iacr.org/2022/374
Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_28
Lyubashevsky, V.: On random high density subset sums. Electron. Colloquium Comput. Complex. TR05 (2005)
Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures: extended abstract. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001: 8th Conference on Computer and Communications Security, pp. 245–254. ACM Press, Philadelphia, PA, USA (2001). https://doi.org/10.1145/501983.502017
Nick, J., Ruffing, T., Seurin, Y.: MuSig2: simple two-round schnorr multi-signatures. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 189–221. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_8
Nick, J., Ruffing, T., Seurin, Y., Wuille, P.: MuSig-DN: Schnorr multi-signatures with verifiably deterministic nonces. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020: 27th Conference on Computer and Communications Security, pp. 1717–1731. ACM Press, Virtual Event, USA (2020). https://doi.org/10.1145/3372297.3417236
Nicolosi, A., Krohn, M.N., Dodis, Y., Mazières, D.: Proactive two-party signatures for user authentication. In: ISOC Network and Distributed System Security Symposium – NDSS 2003. The Internet Society, San Diego, CA, USA (2003)
Ohta, K., Okamoto, T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 139–148. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57332-1_11
Pan, J., Wagner, B.: Chopsticks: Fork-free two-round multi-signatures from non-interactive assumptions. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part V. Lecture Notes in Computer Science, vol. 14008, pp. 597–627. Springer (2023). https://doi.org/10.1007/978-3-031-30589-4_21, https://doi.org/10.1007/978-3-031-30589-4_21
Ristenpart, T., Yilek, S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_13
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) Advances in Cryptology – CRYPTO’ 89 Proceedings, pp. 239–252. Springer, New York, New York, NY (1990)
Supranational: blst. https://github.com/supranational/blst (2022)
Tessaro, S., Zhu, C.: Threshold and multi-signature schemes from linear hash functions. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part V. Lecture Notes in Computer Science, vol. 14008, pp. 628–658. Springer (2023). https://doi.org/10.1007/978-3-031-30589-4_22, https://doi.org/10.1007/978-3-031-30589-4_22
Vesely, P., Gurkan, K., Straka, M., Gabizon, A., Jovanovic, P., Konstantopoulos, G., Oines, A., Olszewski, M., Tromer, E.: Plumo: An Ultralight Blockchain Client. In: Financial Cryptography and Data Security: 26th International Conference, FC 2022, Grenada, May 2–6, 2022, Revised Selected Papers, pp. 597–614. Springer-Verlag, Berlin, Heidelberg (May 2022). https://doi.org/10.1007/978-3-031-18283-9_30, https://doi.org/10.1007/978-3-031-18283-9_30
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19
Acknowledgments
We would like to thank the anonymous reviewers for their valuable comments. We also thank the a16z crypto team for reviewing the paper, recommending improvements, and providing future extension ideas. In particular, we thank Dan Boneh (Stanford University) and Valeria Nikolaenko (a16z crypto research). Mahdi Sedaghat was supported in part by the Research Council KU Leuven C1 on Security and Privacy for Cyber-Physical Systems and the Internet of Things with contract number C16/15/058 and by CyberSecurity Research Flanders with reference number VR20192203.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 International Financial Cryptography Association
About this paper
Cite this paper
Baldimtsi, F. et al. (2025). Subset-Optimized BLS Multi-signature with Key Aggregation. In: Clark, J., Shi, E. (eds) Financial Cryptography and Data Security. FC 2024. Lecture Notes in Computer Science, vol 14745. Springer, Cham. https://doi.org/10.1007/978-3-031-78679-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-78679-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-78678-5
Online ISBN: 978-3-031-78679-2
eBook Packages: Computer ScienceComputer Science (R0)