Common use of Succinctness Clause in Contracts

Succinctness. We require that the size of each signature is O˜(1). This holds both for signatures in the support of Sign and of Aggregate. Additionally, we also require that the aggregate algorithm { } ∈ can be decomposed into two algorithms Aggregate1 and Aggregate2. Depending on the set of input signatures σi i [q] and the verification keys, the first algorithm Aggregate1 deterministically outputs a subset of the signatures Ssig. The second (possibly randomized) algorithm Aggregate2 then aggregates these signatures without relying on the verification keys. Looking ahead at the BA protocol in Section 4.1, subsets of the parties will collectively run the aggregation algorithm. Although the inputs to the aggregation algorithm need not be kept private, it could be the case that the randomness used should remain secret, e.g., in the SRDS construction in Section 5.2. For this reason, the computation of Aggregate2 in the BA construction will be carried out using an MPC protocol; to keep the overall communication of every party O˜(1), we require the circuit size representing Aggregate2 to be O˜(1). The goal of Aggregate1 is to deterministically filter out invalid inputs (using the verification keys), such that Aggregate2 only depends on the verified signatures and not on the n verification keys (otherwise the circuit size will be too large).

Succinctness. We require that the size of each signature is O˜(1). This holds both for signatures in the support of Sign and of Aggregate. Additionally, we also require that the aggregate algorithm { } ∈ can be decomposed into two algorithms Aggregate1 and Aggregate2. Depending on the set of input signatures σi i [q{σi}i∈[q] and the verification verification keys, the first first algorithm Aggregate1 deterministically outputs a subset of the signatures Ssig. The second (possibly randomized) algorithm Aggregate2 then aggregates these signatures without relying on the verification verification keys. Looking ahead at the BA protocol in Section 4.1, subsets of the parties will collectively run the aggregation algorithm. Although the inputs to the aggregation algorithm need not be kept private, it could be the case that the randomness used should remain secret, e.g., in the SRDS construction in Section 5.2. For this reason, the computation of Aggregate2 in the BA construction will be carried out using an MPC protocol; to keep the overall communication of every party O˜(1), we require the circuit size representing Aggregate2 to be O˜(1). The goal of Aggregate1 is to deterministically filter filter out invalid inputs (using the verification verification keys), such that Aggregate2 only depends on the verified verified signatures and not on the n verification verification keys (otherwise the circuit size will be too large).