We suppose we have the SHA256 hash function and the same G curve as above. In its simplest form, an aggregate signature is built from:
- the message
Mto sign, in our case the transaction fee - a private key
x, with its matching public keyx*G - a nonce
kjust used for the purpose of building the signature
We build the challengee = SHA256(M | k*G | x*G), and the scalars = k + e * x. The full aggregate signature is then the pair(s, k*G).
The signature can be checked using the public keyx*G, re-calculatingeusing M andk*Gfrom the 2nd part of the signature pair and by veryfying thats, the first part of the signature pair, verifies:
s*G = k*G + e * x*G
In this simple case of someone sending a transaction to a receiver they trust (see later for the trustless case), an aggregate signature can be directly built for a Grin transaction by calculating the total blinding factor of inputs and outputsrand using it as the private keyxabove. The resulting kernel is assembled from the aggregate signature generated usingrand the public keyr*G, and allows to verify non-inflation for all Grin transactions (and signs the fees).
Because these signatures are built simply from a scalar and a public key, they can be used to construct a variety of contracts using "simple" arithmetic.