Hi folks (@hoeteck @sergeynog @zhenfeizhang):

I have a concern about subgroup checks in the aggregate signature case.

• The Aggregate function (defined in Section 2.8) does not validate subgroup membership of each signature.

• Instead, CoreAggregateVerify checks subgroup membership of the sum of all signatures output by Aggregate.

• This is fine from the perspective of the pairing operation---it ensures that the inputs are in the proper subgroups, and thus that the pairing function is defined.

• But it doesn't rule out crafting two signatures that contain low-order components that cancel once they are Aggregated, which breaks uniqueness.

Unless I'm crazy, this is a problem, and I think the fix is to check the subgroup of each signature before summing in Aggregate. Does this seem correct?

(Sorry to bear bad news...)

(By the way, a question from @dot-asm turned this up. Thank you!)