BLS signatures are getting widely adopted due to the fact that the individual signatures can be efficiently aggregated. However, cryptoeconomic protocols, e.g. lightclients or oracle networks, often require identifying the misbehaving signers in order to slash their stake. That neccessitates the aggregate signatures also be accountable. Following a protocol sketched (https://hackmd.io/_n8g5ClHQDmpeZeVery5bg) by Alistair Stewart, we implement an aggregation scheme for vanilla BLS signatures with the desired property.

An example application of the protocol is a bridge from a chain using BLS signatures (say, Polkadot) to a chain capable of verifying pairings on the same curve (say, Ethereum, after EIP-2537 is deployed, or another substrate-based chain).