Suppose we have new_key
and new_proof
such that:
pok_verify(new_key, new_key_index, new_proof)
passes
bls_verify(aggregate_key, aggregate_signature, message)
passes
where new_key
, new_proof
and message
are the only variables in our control, and aggregate_key
and aggregate_signature
are the respective "sums" of all the keys / signatures involved, including our own. One can interpret new_key
as a rogue key (denoted by