Hi everyone,
I am reading whitepaper.
Does “an aggregation of the n - f signatures on the message comprising the hash of B and the height h.” in “5.7 Notarization” mean the threshold BLS signature? (“5.8 Finalization” is equivalent).
No, it is just an aggregation of n - f individual signature, not a threshold signature. The difference between the two is that the signature validation requires knowledge of the supporting set of n - f identities (which the threshold signature does not require). That’s why the set of identities is listed in the bullet point above.
It is possible to replace both item (set of identities plus aggregation) by a single threshold signature, but only if the chosen signature scheme actually allows it. The protocol in the paper makes a weaker assumption. It does not assume that the signature schemes used for notarization and finalization are set up for threshold signatures. In particular, they don’t have to be BLS. Only the random beacon needs to be BLS. The reasons to make a weaker assumption are:
- DKG won’t be required for notarization and finalization. Threshold signature schemes require DKG which is hard to do and expensive. Aggregation schemes don’t require DKG.
- Notarization and finalization can potentially be made faster. If the alternative is to use BLS threshold signatures then an aggregation scheme based on a non-pairing curve can be much faster.
2 Likes
Thank you! I was mistaken. I understood.