A robust multisignature scheme with applications to acknowledgement aggregation

Abstract

A multicast communication source often needs to securely verify which multicast group members have received a message, but verification of individually signed acknowledgments from each member would impose a significant computation and communication cost. As pointed out by Nicolosi and Mazieres [NM04], such cost is minimized if the intermediate nodes along the multicast distribution tree aggregate the individual signatures generated by the multicast receivers into a single multisignature. While the solution of [NM04], based on a multisignature scheme of Boldyreva [Bol03], relied on so-called "Gap Diffie-Hellman" groups, we propose a solution using a multisignature scheme which is secure under just the discrete logarithm assumption. However, unlike the previously known discrete-log based multisignature scheme of Micali et al. [MOR01a], our multisignature scheme is robust, which allows for an efficient multisignature generation even in the presence of (possibly malicious) node and communication failures. © Springer-Verlag Berlin Heidelberg 2005.