Misuse of BLS aggregate signatures in cryptographic protocols introduces critical security risks due to ambiguous or insufficient formal security modeling. Method: We propose the first abstraction framework for verifiable aggregate signatures amenable to automated formal verification (Tamarin/ProVerif), rigorously distinguishing generic security definitions from BLS-specific semantics. Our framework comprehensively models adversary capabilities, cryptographic primitives, and protocol syntax symbolically. Contributions/Results: (1) We formally characterize the essential security constraints of BLS aggregate signatures—previously unstated in formal models; (2) we identify a previously unarticulated but crucial assumption underlying the SANA device authentication protocol; (3) exploiting its absence, we construct a practical forgery attack, empirically validating our model’s precision and utility. This work advances standardization in the formal modeling of aggregate signature protocols and bridges the gap between theoretical security guarantees and real-world deployment.

Aggregate signatures are digital signatures that compress multiple signatures from different parties into a single signature, thereby reducing storage and bandwidth requirements. BLS aggregate signatures are a popular kind of aggregate signature, deployed by Ethereum, Dfinity, and Cloudflare amongst others, currently undergoing standardization at the IETF. However, BLS aggregate signatures are difficult to use correctly, with nuanced requirements that must be carefully handled by protocol developers. In this work, we design the first models of aggregate signatures that enable formal verification tools, such as Tamarin and ProVerif, to be applied to protocols using these signatures. We introduce general models that are based on the cryptographic security definition of generic aggregate signatures, allowing the attacker to exploit protocols where the security requirements are not satisfied. We also introduce a second family of models formalizing BLS aggregate signatures in particular. We demonstrate our approach's practical relevance by modelling and analyzing in Tamarin a device attestation protocol called SANA. Despite SANA's claimed correctness proof, with Tamarin we uncover undocumented assumptions that, when omitted, lead to attacks.