[Cryptography] Aggregate signatures

[xor]

On Mon, 2014-06-09 at 15:16 -0700, Jae Kwon wrote:
>         I'm going to think about contracts in the future. Right now
>         I'm working
>         on a fee distribution protocol that, instead of mining,
>         depends on the
>         agreement of all potential fee receivers. Maybe a million
>         peers was a
>         bit much, but since the cryptocurrency in question removes
>         incentives
>         for pool mining, as well as proof of work, I anticipate even
>         cellphone
>         users will be able to 'mine' currency, so I'm aiming high.
>         I've been
>         having several problems with this protocol, one of which is
>         bandwidth
>         usage, hence my interest in aggregate signatures.
> 
> 
> Interesting... How do you remove the incentive for proof-of-work
> without solving the byzantine generals problem?

I meant to say I removed incentive for pool mining, and replaced proof
of work. The need to prove something is still there it just won't be
work, it will be stake.

> If the message being signed is the same, that's technically called a
> "multisignature" scheme in literature, which is a type of "aggregate
> signature" scheme.  For a noninteractive BLS multisignature scheme,
> both signing, aggregation, and verification is fast, but for a
> noninteractive BLS general-aggregate-signature scheme, verification
> requires N pairing operations, where each pairing takes around 10+ms.
> [1]

I'll need both multisignatures and aggregate signatures. I think I
managed to overcome the extra overhead with aggregate signatures for
many messages by using pools of signers, but I'm still working on
creating and managing such pools safely and efficiently.