Most of the different discussions in the community on BLS included BLS aggregation with a same message for individual signatures. This scheme is subject to attack, and would likely not be secure for GRIN.
But in a paper from two years ago, Dan Boneh actually proved the security of naive signature aggregation if all messages of individual signatures are different.
Here is a quotation from the paper in order to make things more precise:
“(One of the standard defenses) against the rogue public-key attack:
– Require that the messages being aggregated are distinct [12, 7], namely the verifier rejects an aggregate signature on non-distinct messages. This is sufficient to prevent the rogue key attack. Moreover, message distinctness can be enforced by always prepending the public key to every message prior to signing. However, because now all messages are distinct, we cannot take advantage of public-key aggregation as in (3) when aggregating signatures on a common message m.”
The precise description of this interesting and very scalable scheme is in the beginning of section 3.2, and as far as I understand could be used for GRIN by shrinking kernel size by 2/3. The aggregate signature proves that each iindividual public key had a correct signature, making the scheme naturally compatible with Mimblewimble. The security of tbe scheme is proven academically.
- No more scriptless script (atomic swaps, lightening,…) if we don’t keep Schnorr signatures somewhere.
- quite big change in the security assumption.
- would require to change the current elliptic curve and integrate a pairing-friendly curve instead (practically we would likely effectively need to support two curves).