2

I want to know if there is a multisignature scheme that allows the merging of two multisignatures for the same data but by two different sets of users, and without knowing the corresponding private keys. The goal is to obtain a single multisig that has the same size than the two multisigs it originates from.

This would be useful to construct certificates in a network of users. For example, two distinct sets of 10 users both sign the message $m$ and produce two multisignatures, $s_1$ and $s_2$. Another user, which has not signed $m$ yet, receives $s_1$ and $s_2$ and wants to merge them together before adding his signature to the resulting multisig. Is there a cryptosystem that allows that?

The only multisignature scheme I know of is based on RSA, but it does not allow what I want: the only way to merge $s_1$ and $s_2$ with this technique is for all signers to contribute to one of these multisigs.

Thank you for your help.

JacopoStanchi
  • 241
  • 1
  • 11

2 Answers2

3

This kind of scheme exists and usually is called signature aggregation. One example is BLS (see https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html)

BLS is nice because it's non interactive. You simply take the product of the individual signatures and that becomes the aggregate signature under an aggregate public key.

lamba
  • 1,395
  • 8
  • 18
0

I think it's what you need https://link.springer.com/chapter/10.1007/978-3-642-40041-4_27 《Full Domain Hash from (Leveled) Multilinear Maps and Identity-Based Aggregate Signatures》 the aggregate algorithm

Dastro Yang
  • 11
  • 2