Beware of The Rogue Public Key
With BN256, we create the private key from a random number. This is a scalar value (sk1) and a public key mapped to the G2 curve:
pub_1=sk_1.G2
Next, we create a hash of the message (H(M)) and then create the signature of:
σ_1=sk1.H(M)
Next, we check the pair:
e(σ1,G_2)==e(H(m),pk_1)
This works because:
e(σ_1,G_2)==e(H(m),pk_1)
is:
e(x.H(M),G2)==e(H(m),pk1)
and:
e(H(M),x.G2)==e(H(m),pk1)
which is:
e(H(M),pk1)==e(H(m),pk1)
If lhs is equal to rhs, the pairing works, and the signature is verified.
Now we can aggregate the signatures. For the second set of keys, we now have a public key of:
pub2=sk2.G2
and where the second signature will be:
σ2=sk2.H(M)
Then the aggregated public key will be:
pk_a=pub1+pub2
Then the aggregated signature will be:
σ_a=σ1+σ2
The check is then:
