Aggregate BLS signatures for votes

[UnitylChaos]

Using BLS signatures for validator votes would also allow for smaller IBC packets in Cosmos, as the Tendermint headers will only require one signature. It would also be possible to do the aggregation while the votes are being gossiped, which could reduce total bandwidth and possibly allow better scaling.

The mechanism for aggregation in the gossip process, without introducing extra overhead, is an open design problem. Current idea I'm working with is to treat the set of possible votes as a binary tree, and only aggregate when you have a complete subtree. That way you won't ever receive two partially overlapping aggregations and have to double count some signatures. Signatures can be double counted safely, but it would require using integers to track validators votes, rather than a single bit, and complicates the verification process.

@ValarDragon and I have been working on a go implementation of these signatures: bgls
Review and feedback would be very much appreciated.

[ethanfrey]

This sounds great, and I know there is much interest in BLS. As I don't have a deep knowledge of how it works, can you clarify one point?

If I combine say 70 out of 100 signatures in BLS, is it clear which 70 signed, or just some 70 out of that set? This is super important as each validator has a different weight, and it matters which ones signed, not just how many. You mention some btree algorithm needed on the side to avoid double-counting?

If this can be solved, IBC packets will be like 10-20x smaller, which is a HUGE win!

[ValarDragon]

With BLS you still need to know the exact public keys and messages that we're signed. So it has to be clear which validators signed off on it, so the 2/3rds stake can still be checked. There is one important caveat, you need to the multiplicity with which ones signature was included in the aggregate signature.

@jlandrews and I have been discussing two different models for doing this. One model is that the resultant aggregate signature has an accompanying bitfield, which indicates which signers signed off on the message. This model will work, it just has the downside that aggregation can't be done that effectively until the end. (So all signatures basically get passed around to everyone) This is just like how tendermint is currently doing it, so this would strictly be an improvement since the end signature is smaller.

We are also currently working on a second model where the aggregate signatures can be pre-aggregated. The issue is that when two different aggregate signatures include the same validator, the fact that that validators signature is included twice needs to be accounted for. The problem that has to be solved is essentially a malicious adversary putting the maximum possible number of copies of their signature onto every signature being passed around, preventing those signatures from being pre-aggregated. However, if our model is correct it would mean that a validator has to relay fewer signatures to the other validators in tendermint, which reduces the overall network traffic. (And therefore aid in scaling to higher numbers of validators) It also in effect reduces the number of signatures that will need to be transmitted, while still keeping everything provable. We haven't finished working through this model, but if you'd like I can post what we're currently thinking of here.

[UnitylChaos]

To follow up on what @ValarDragon posted, we have created the general outline of a full scheme which will allow for aggregation while votes are being gossiped.
We define an Aggregate Vote data structure:
Aggregate Vote

• Byte[] multiplicity index (an array of ints, encoded with n bits per int)
• Block info (height, round, prevote/precommit, block hash, etc)
• Signature

This can be verified as proving that each indicated validator signed the block, by taking a linear combination of the validator public keys specified by the multiplicity index, and verifying the signature against the constructed public key.
We also require that the aggregated vote is “valuable” enough to justify it’s maximum multiplicity. This is so that it is not possible for an adversary to set the maximum multiplicity on its own signature field for every signature it can see, to prevent them from being aggregated together. The way we do this is as follows:
Let the the proportion of total stake represented by an aggregate signature be p, and let n be the log_2(maximum multiplicity) supported for the final signature. (n has to be set independently of the number of total validators, because it effectively sets the minimum proportion of total stake a single validator can have)
If p < 1/3rd, no signature can have multiplicity greater than 2^(n - 1) - 1
If p < 1/6th, no signature can have multiplicity greater than 2^(n - 2) - 1
(and so on.)
If this condition isn’t met, the aggregate vote shouldn’t be accepted. Suppose you have enough signatures to make 2/3rds of the total stake. This means that in the worst case setting, you may have n signatures in total, before you can aggregate them all together.
Upon receiving a valid aggregate vote, it is integrated into the local vote set. Using Lattice basis reduction, each validator can reduce the multiplicity of their signatures.
When a validator sends votes to their neighbors, they should construct the lowest multiplicity aggregation, which includes all votes we have that said neighbour doesn’t have. We haven’t yet figured out what algorithm to use for this. In the worst case, the validator would send all their distinct signatures which can’t be aggregated together. We expect that the validator simply aggregating all votes they hold and sending that to the peer will, in most cases, stay below the multiplicity limit.
The current tendermint scheme has all the validators sync the signatures they know of one at a time with their neighbours. The same thing is being done here, except now the validators aggregate and send all signatures they know of according to the above scheme. We conjecture that this should reduce the time complexity to being logarithmic in the number of validators. Since votes should always be relayed in every step, and never delayed for multiple steps at one node, we expect that the maximum time for a vote to get to all peers should be proportional to the average hop distance in the network, and in a gossip topology we expect this to be logarithmic.

[ethanfrey]

Very cool idea.
And the protection against overflowing multiplicity sounds solid. I will think about it and maybe come up with some scenarios a malicious validator could cause delays, but first glance it seems solid.

The lograrhythmic reduction of vote communication is very valuable, especially since the three rounds of gossip are the bottleneck of latency in the consensus algorithm.

[jackzampolin]

This sounds like a great improvement. What is blocking implementation here?

[ValarDragon]

Bls12-381 hsms or really good key rotation support.