Secure acknowledgment aggregation and multisignatures with limited robustness

Abstract

In certain reliable group-oriented and multicast applications, a source needs to securely verify whether all (and if not all, which) intended receivers have received a message. However, secure verification of individual acknowledgments from all receivers can impose a significant computation and communication burden. Such cost can be significantly reduced if intermediate nodes along the distribution tree aggregate the acknowledgments produced by the multicast receivers into a single multisignature. The approach explored in prior work on acknowledgment aggregation [A. Nicolosi, D. Mazieres, Secure acknowledgement of multicast messages in open peer-to-peer networks, in: 3rd International Workshop on Peer-to-Peer Systems (IPTPS’04), San Diego, CA, February 2004] is based on a multisignature scheme of [A. Boldyreva, Efficient threshold signatures, multisignatures and blind signatures based on the gap-Diffie–Hellman-group signature scheme, in: Public Key Cryptography 2003, 2003]. However, this multisignature scheme requires a relatively new cryptographic assumption of “Gap Diffie–Hellman”. In contrast, we propose a solution using multisignature schemes secure under more standard and long-standing security assumptions. In particular, we show how to extend previously known non-robust multisignature scheme [S. Micali, K. Ohta, L. Reyzin, Accountable-subgroup multisignatures, in: ACM Conference on Computer and Communications Security, October 2001] based on the discrete logarithm assumption to achieve limited robustness. Our extension—which also generalizes to certain other multisignature schemes—allows for efficient multisignature generation in the presence of (possibly malicious) node and communication failures, as long as the number of such faults does not exceed a certain threshold.