Folks here may be interested in this paper, from the polkadot folks.
abstract:
BLS signatures have fast aggregated signature verification but slow individual signature verification. We propose a three part optimisation that dramatically reduces CPU time in large distributed system using BLS signatures: First, public keys should be given on both source groups and , with a proof-of-possession check for correctness. Second, aggregated BLS signatures should carry their particular aggregate public key in , so that verifiers can do both hash-to-curve and aggregate public key checks in . Third, individual non-aggregated BLS signatures should carry short Chaum-Pedersen DLEQ proofs of correctness, so that verifying individual signatures no longer requires pairings, which makes their verification much faster. We prove security for these optimisations. The proposed scheme is implemented and benchmarked to compare with classic BLS scheme.