crypto-primitives icon indicating copy to clipboard operation
crypto-primitives copied to clipboard

Published 20 hours ago verified publisher icon arkworks-rs

Pairing-based signature aggregation

Open jon-chuang opened this issue 4 years ago • 5 comments

Is there any interest/avenue for implementing signature aggregation?

jon-chuang avatar Apr 26 '20 08:04 jon-chuang

Hey @jon-chuang, we use Zexe to do it in https://github.com/celo-org/bls-zexe/. I'm wondering which aggregation do you refer to? Just adding or a random linear combination? I think one thing that would beneficial to introduce is hash-to-curve.

kobigurk avatar Apr 26 '20 08:04 kobigurk

All curves should implement hash-to-curve really.

burdges avatar Apr 26 '20 09:04 burdges

Do any of the curves have hash to curve? Can we collate some resources for the different curves? I don't know much about it.

jon-chuang avatar Apr 26 '20 09:04 jon-chuang

Do any of the curves have hash to curve? Can we collate some resources for the different curves? I don't know much about it.

Any curve can use something like try-and-increment and then use from_random_bytes that exists in Zexe. This is not ideal for situations where you need constant time hashing and might be tricky to implement correctly and protect against DoS attacks.

The IETF document https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04 described methods for different kinds of curves, and https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00 uses SSWU, which I believe Eth2 is going to use.

kobigurk avatar Apr 26 '20 12:04 kobigurk

Do any of the curves have hash to curve? Can we collate some resources for the different curves? I don't know much about it.

BW6-761 uses Elligator-2 for G1 and a variant of Shallue–Woestijn due to Fouque-Tibouchi for G2.

yelhousni avatar Apr 28 '20 10:04 yelhousni