BLS Signature Aggregate and Rogue-Key Attacks

BLS Signature

There are

P_{0}

P_{1}

P_{2}

P_{3}

four parties.

P_{0}

: secret key

s k_{0}

, message

m_{0}

, public key

P_{0} = s k_{0} \cdot G

, signature

S_{0} = H (m_{0}) \cdot s k_{0}

P_{1}

: secret key

s k_{1}

, message

m_{1}

, public key

P_{1} = s k_{1} \cdot G

, signature

S_{1} = H (m_{1}) \cdot s k_{1}

P_{2}

: secret key

s k_{2}

, message

m_{2}

, public key

P_{2} = s k_{2} \cdot G

, signature

S_{2} = H (m_{2}) \cdot s k_{2}

P_{3}

: secret key

s k_{3}

, message

m_{3}

, public key

P_{3} = s k_{3} \cdot G

, signature

S_{3} = H (m_{3}) \cdot s k_{3}

one by one:

e (G, S_{0}) = e (P_{0}, H (m_{0}))

and so on.

H

, hash to curve, result is a point.

S = S_{0} + S_{1} + S_{2} + S_{3}

\begin{aligned} e (G, S) & = e (G, S_{0} + S_{1} + S_{2} + S_{3}) \\ = e (G, S_{0}) \cdot e (G, S_{1}) \cdot e (G, S_{2}) \cdot e (G, S_{3}) \\ = e (G, s k_{0} \cdot H (m_{0})) \cdot e (G, s k_{1} \cdot H (m_{1})) \cdot e (G, s k_{2} \cdot H (m_{2})) \cdot e (G, s k_{3} \cdot H (m_{3})) \\ = e (s k_{0} \cdot G, H (m_{0})) \cdot e (s k_{1} \cdot G, H (m_{1})) \cdot e (s k_{2} \cdot G, H (m_{2})) \cdot e (s k_{3} \cdot G, H (m_{3})) \\ = e (P_{0}, H (m_{0})) \cdot e (P_{1}, H (m_{1})) \cdot e (P_{2}, H (m_{2})) \cdot e (P_{3}, H (m_{3})) \end{aligned}

Use aggregated signature, we can compute

n - 1

less expensive pairings. (

2 n

n + 1

)

m_{0} = m_{1} = m_{2} = m_{3} = m

, for example, in consensus, different nodes sign the same block.

There are 5 parties: 4 validators and 1 leader.

The leader broadcasts block(
$m$ ) to all the validators
The validators send back signatures
$S_{0}, \dots, S_{3}$ .
The leader broadcasts the aggregated signature
$S = S_{0} + S_{1} + S_{2} + S_{3}$
The validators validate
$e (G, S) = e (P, H (m))$ with
$P = P_{0} + P_{1} + P_{2} + P_{3}$ , as
$e (G, S) = e (P_{0}, H (m)) \cdot e (P_{1}, H (m)) \cdot e (P_{2}, H (m)) \cdot e (P_{3}, H (m)) = e (P_{0} + P_{1} + P_{2} + P_{3}, H (m))$ .

The malicious leader want to change the block, such as he want to double-spend.

The leader new a secret key
$s k^{'}$ , with public key
$P^{'} = s k^{'} \cdot G$
The leader sign the new block(
$m^{'}$ ):
$S^{'} = s k^{'} \cdot H (m^{'})$
The leader public new public key
$P_{4} = P^{'} - (P_{0} + P_{1} + P_{2} + P_{3}) = P^{'} - P_{origin}$
The leader public new signature
$S_{4} = S^{'} - (S_{0} + S_{1} + S_{2} + S_{3}) = S^{'} - S_{origin}$
Other validators aggregate:
$S_{new} = S_{0} + \dots + S_{4} = S^{'}$ ,
$P_{new} = P_{0} + \dots + P_{4} = P^{'}$ ,
$e (G, S_{new}) = e (G, S^{'}) = e (P^{'}, H (m^{'})) = e (P_{new}, H (m^{'}))$ , So validators think the new block(
$m^{'})$ is legal.