[Cryptography] non-interactive multi-signature algorithm?

[Allen]

I'm looking for an non-interactive multi-signature algorithm.  It is not
necessary that the algorithm be secure in the PPK (plain public-key) model,
i.e., it would be possible to require each signer to go through a setup
step where they must prove knowledge of the private key corresponding to
their chosen public key.

It is my understanding that [BN06] (Bellare, Neven, "Multi-Signatures in
the Plain Public-Key Model") requires three round-trip interactions with
each signer.  One non-interactive scheme I've seen is [QLH12] (Qian, Li,
Huang, "Tightly Secure Non-Interactive Multisignatures in the Plain Public
Key Model").  Can anyone comment on the relative merits of that algorithm,
or any other proposed algorithms, possibly including algorithms that
require a key setup/verification step?

[QLH12] http://www.mii.lt/informatica/pdf/INFO864.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160423/bbb1b2c1/attachment.html>