►
Description
The Ethereum Sharding Meeting #2 - Berlin
5. BLS aggregation by Vitalik Buterin and Justin Drake (Ethereum Foundation)
Resources: https://notes.ethereum.org/s/B1-7aivmX
---
Video: Anton Tal @antontal
Audio: Matteo Tambussi @matlemad
Producer: Chris Hobcroft @chrishobcroft
Executive Producer: Doug Petkanics @petkanics
For @livepeertv on behalf of @LivepeerOrg
A
C
A
D
If
we
think
about
not
just
the
signatures
themselves,
but
the
actual
mechanics
of
aggregation
right,
you
could
also
think
that
you
don't
even
have
to
have
to
store
all
the
public
keys
and
run
potentially,
because
because
these
signature
aggregation
is
associative
and
commutative.
So
what
you
can
actually
do
is
that
you
can
group
them
up
as
they
get
aggregated
and
actually
verify
at
each
point.
So
I've
received
two
messages
which
have
two
different
aggregates:
I,
verified
them
and
then
I
passed
them
on
is
another
aggregate.
And
then
you
just
have
a
very
efficient
aggregation,
mechanics.
E
C
A
A
The
number
of
network
trips,
but
it's
mean
a
more
like
in
the
successive
walk
for
two
to
one
now.
It
might
make
sense
to
increase
the
number
of
networks
somewhat,
because
once
you
go
into
having
like
50,000
keys
in
one
message,
then
you
start
running
into
the
issue
that
like
can
one
propose
or
really
download
and
add
up
50,000
signatures
and
like.
If
that
becomes
an
issue,
then
you
can
do
a
shorted
aggregation.
A
So
basically,
you
can
imagine
a
node
in
a
peer-to-peer
network
deciding
to
specialize
it
and
say
some
particular
chunk
of
the
bid
field
and
then,
like
one
participant,
would
say,
I
aggregate
all
that
they
know
about,
say
the
first
500
another.
Whatever
you'd
only
know
about
the
second
500,
and
then
you
can
have
each
participant
aggregate
square
root
of
n
instead
of
n,
and
that
basically
gives
you
all
the
efficiency
you
want.
Instead,.
A
That's
a
naive
way
of
doing
it
and,
as
the
naive
way
of
doing
it
becomes
too
inefficient,
which
would
probably
smite
could
start
happening
as
we
move
from
like
small
sets
of
alders
to
the
live
net,
with
like
four
you
know
like
400,000
or
whatever
validators
total,
then
it
would
make
sense
to
add
in
some
kind
of
this
kind
of
two-level
shorted
aggregation
structure
and
you
sort
of
like
target
someone
for.
Can
you
target
someone
for
exclusion
during
this
like
aggregation
process
and
what
you
can
probably
do?
Is
you
can?
A
Basically
you
can,
though,
like
in
this
like,
if
we
do
this
kind
of
okay,
so,
first
of
all,
there's
two
aspects
right.
So
in
the
simplest
model,
where
the
proposer
has
to
aggregate
all
the
signatures,
then
yes,
the
proposer
can
exclude
whoever
they
want
up
to
a
maximum
of,
like
whatever
the
minimum
number
is
that
they
have
to
include.
But.
C
B
A
What
we're
doing
from
any
can
you
from
a
four
choice,
rule
standpoint?
First
of
all,
you
can
still
count
them
if
you
want
to,
because
you
can
use
like
ghosts
and
from
an
incentivization
stand
points
like
you
can
have
in
from
generally
from
an
accounting
standpoint,
you
can
allow
any
of
the
messages
that
were
not
encoded
to
become
included
in
the
next
block.
Okay,
yeah.
A
A
A
So
I
originally
implementable.
Yes,
yes,
totally
implementable!
No
for
the
hash
function
like
I
already
did
it
and
like
Indian
Binet
gave
the
glue
the
green
lights
of
the
approach,
which
is
you
basically
hash
into
the
x-coordinate,
and
then
you
derived
the
y-coordinate
from
the
x-coordinate.
So
that
will
you
generate
a
point
that
you
don't
know
the
corresponding
discrete
log
for
that's
where
basically,
the
one
thing
that
matters
I.
C
Another
good
thing
is
that
there's
a
bunch
of
other
projects
in
the
blockchain
space
who
are
starting
to
use
VLS,
so
Definity
I
learned
about
polka
dot.
Today,
this
gr
and
just
in
general,
it
seems
that
there's
more
awareness
around
this
and
I
think
even
Bitcoin
is
considering
the
other
signatures
as
an
alternative
to
small.
Maybe.
C
I
believe
the
only
project
that
is
intending
to
use
it-
and
it's
not
even
using
it
right
now-
is
easy.
Cash
I
mean
it
is
part
of
a
family
of
curves
but
yeah.
They
have
an
implementation
in
rust,
which
they've
also
audited.
So
they
voted
to
the
implementation
and
the
curve
separately,
and
the
number
is
two
point:
five
milliseconds,
that's
from
this
specific
rust
implementation
and
I
believe
Shaun
Bowie.
Who
is
leading
the
effort
you
know,
spent
a
long
time.
Maybe
two
years
writing
this
library.