It seems to me, that it should be possible to hash BLS signature to achieve significant space saving. Here is how it could work:
Assuming we have a pairing-friendly elliptic curve with two generator points $G_1$ and $G_2$. Let's say my public key is $P = p \cdot G_1$, where $p$ is my private key. The standard BLS signature of message $m$ would be:
$$ S = p \cdot H(m) $$
where, $H$ is a hash function that maps the message into the subgroup defined by $G_2$. The verification of the signature is done using a pairing function $e$ as follows:
$$ e(P, H(m)) \stackrel{?}{=} e(G_1, S) $$
If we use a curve such as BLS12-381, the size of the signature could be 96 bytes. But what if we redefine the signature as:
$$ s = H_2(e(G_1, p \cdot H(m))) $$
where, $H_2$ is a cryptographic hash function (e.g. SHA256). The verification can then be done as follows:
$$ H_2(e(P, H(m))) \stackrel{?}{=} s $$
Not only is the signature now only 32 bytes, but it also takes only 1 pairing to verify.
The obvious drawback is that signatures can no longer be aggregated, but I'm wondering if there are any other issues with using this scheme.
