Is BLS multi-signature aggregation separable?

Question

In BLS multi-signature aggregation scheme we can combine different signatures of different peers into one single signature, and then we can verify whether the aggregated signature is truly signed by the claimed peers.

My questions is, having an aggregated signature, is it possible to separate the signatures and achieve the individual signatures of the peers? For example, having an aggregated signatures of A, B, and C, is it possible to separate it and get the original signature of A?

I would appreciate any resource.

score 3 · Accepted Answer · answered Mar 23 '22 at 15:00

For example, having an aggregated signatures of A, B, and C, is it possible to separate it and get the original signature of A?

Well, in BLS, an aggregated signature just the sum of the original sigantures; $\text{sign}(A,B,C) = \text{sign}(A) + \text{sign}(B) + \text{sign}(C)$ (where $\text{sign}(A,B,C)$ stands for the aggregate signature of $A, B, C$, and the addition is done on the pairing-friendly elliptic curve)

Hence, if you're just given the aggregated signature $\text{sign}(A,B,C)$, there isn't enough information to recover one of the original signatures.

However, if you do have the signatures of $B$ and $C$, you can subtract them out to reconstruct the original signature of $A$; $\text{sign}(A) = \text{sign}(A,B,C) - \text{sign}(B) - \text{sign}(C)$

Is BLS multi-signature aggregation separable?

1 Answers1