Accumulator (cryptography)

In cryptography, an accumulator is a one way membership hash function. It allows users to certify that potential candidates are a member of a certain set without revealing the individual members of the set. This concept was formally introduced by Josh Benaloh and Michael de Mare in 1993.[1][2]

Formal definitions

edit

There are several formal definitions which have been proposed in the literature. This section lists them by proposer, in roughly chronological order.[2]

Benaloh and de Mare (1993)

edit

Benaloh and de Mare define a one-way hash function as a family of functions   which satisfy the following three properties:[1][2]

  1. For all  , one can compute   in time  . (Here the "poly" symbol refers to an unspecified, but fixed, polynomial.)
  2. No probabilistic polynomial-time algorithm will, for sufficiently large  , map the inputs  , find a value   such that   with more than negligible probability.
  3. For all  , one has  . (A function that satisfies this property is called quasi-commutative.)

(With the first two properties, one recovers the normal definition of a cryptographic hash function.)

From such a function, one defines the "accumulated hash" of a set   and starting value   w.r.t. a value   to be  . The result, does not depend on the order of elements  because   is quasi-commutative.[1][2]

If   belong to some users of a cryptosystem, then everyone can compute the accumulated value   Also, the user of   can compute the partial accumulated value   of  . Then,   So the  user can provide the pair   to any other part, in order to authenticate  .

Barić and Pfitzmann (1997)

edit

The basic functionality of a quasi-commutative hash function is not immediate from the definition. To fix this, Barić and Pfitzmann defined a slightly more general definition, which is the notion of an accumulator scheme as consisting of the following components:[2][3]

  1. Gen: a probabilistic algorithm that takes in two parameters   (the security parameter and the number of values that can be securely accumulated, respectively), and returns an appropriate key  .
  2. Eval: a probabilistic algorithm that takes in a key   and accumulation set  , where  , and returning an accumulated value   and auxiliary information  . We insist that Eval must be deterministic for  .
  3. Wit: a probabilistic algorithm that takes in a key  , a value  , an accumulated value   of some set  , and some auxiliary information  , and returns either a witness   or the special symbol  . We insist that, if  , that Wit returns a witness, and that Wit otherwise returns  .
  4. Ver: a deterministic algorithm that takes in a key  , a value  , a witness  , and an accumulated value  , and returns a Yes/No value. We insist that if   was generated from running Wit on a tuple  , where   were generated from running Eval on some  , and where   was chosen arbitrarily and   was chosen from running Gen, that Ver always return Yes.

It is relatively easy to see that one can define an accumulator scheme from any quasi-commutative hash function, using the technique shown above.[2]

Camenisch and Lysyanskaya (2002)

edit

One observes that, for many applications, the set of accumulated values will change many times. Naïvely, one could completely redo the accumulator calculation every time; however, this may be inefficient, especially if our set is very large and the change is very small. To formalize this intuition, Camenish and Lysyanskaya defined a dynamic accumulator scheme to consist of the 4 components of an ordinary accumulator scheme, plus three more:[2][4]

  1. Add: a (possibly probabilistic) algorithm that takes in a key  , an accumulated value  , and another value to accumulate  , and returns a new accumulated value   and auxiliary information  . We insist that if   was generated by accumulating some set  , then   must be as if it were generated by accumulating the set  .
  2. Del: a (possibly probabilistic) algorithm that takes in a key  , an accumulated value  , and another value to accumulate  , and returns a new accumulated value   and auxiliary information  . We insist that if   was generated by accumulating some set  , then   must be as if it were generated by accumulating the set  .
  3. Upd: a deterministic algorithm that takes in the key  , a value  , a witness  , the accumulated value  , and auxiliary information  , and returns a new witness  . We insist that if   was generated by Gen,   is part of a set  ,   is a witness for   being a member of  , and   is an accumulated value for  , and   was generated by running Add or Del, then   will be a witness for   being a member of the new set.

Fazio and Nicolosi note that since Add, Del, and Upd can be simulated by rerunning Eval and Wit, this definition does not add any fundamentally new functionality.[2]

Examples

edit

One example is multiplication over large prime numbers. This is a cryptographic accumulator, since it takes superpolynomial time to factor a composite number (at least according to conjecture), but it takes only a small amount of time (polynomial in size) to divide a prime into an integer to check if it is one of the factors and/or to factor it out. New members may be added or subtracted to the set of factors by multiplying or factoring out the number respectively. In this system, two accumulators that have accumulated a single shared prime can have it trivially discovered by calculating their GCD, even without prior knowledge of the prime (which would otherwise require prime factorization of the accumulator to discover).[citation needed]

More practical accumulators use a quasi-commutative hash function, so that the size of the accumulator does not grow with the number of members. For example, Benaloh and de Mare propose a cryptographic accumulator inspired by RSA: the quasi-commutative function   for some composite number  . They recommend to choose   to be a rigid integer (i.e. the product of two safe primes).[1] Barić and Pfitzmann proposed a variant where   was restricted to be prime and at most   (this constant is very close to  , but does not leak information about the prime factorization of  ).[2][3]

David Naccache observed in 1993 that   is quasi-commutative for all constants  , generalizing the previous RSA-inspired cryptographic accumulator. Naccache also noted that the Dickson polynomials are quasi-commutative in the degree, but it is unknown whether this family of functions is one-way.[1]

In 1996, Nyberg constructed an accumulator which is provably information-theoretically secure in the random oracle model. Choosing some upper limit   for the number of items that can be securely accumulated and   the security parameter, define the constant   to be an integer multiple of   (so that one can write  ) and let   be some cryptographically secure hash function. Choose a key   as a random  -bit bitstring. Then, to accumulate using Nyberg's scheme, use the quasi-commutative hash function  , where   is the bitwise and operation and   is the function that interprets its input as a sequence of  -bit bitstrings of length  , replaces every all-zero bitstring with a single 0 and every other bitstring with a 1, and outputs the result.[2][5]

Applications

edit

Haber and Stornetta showed in 1990 that accumulators can be used to timestamp documents through cryptographic chaining. (This concept anticipates the modern notion of a cryptographic blockchain.)[1][2][6] Benaloh and de Mare proposed an alternative scheme in 1991 based on discretizing time into rounds.[1][7]

Benaloh and de Mare showed that accumulators can be used so that a large group of people can recognize each other at a later time (which Fazio and Nicolosi call an "ID Escrow" situation). Each person selects a   representing their identity, and the group collectively selects a public accumulator   and a secret  . Then, the group publishes or saves the hash function and the accumulated hash of all the group's identities w.r.t the secret   and public accumulator; simultaneously, each member of the group keeps both its identity value   and the accumulated hash of all the group's identities except that of the member. (If the large group of people do not trust each other, or if the accumulator has a cryptographic trapdoor as in the case of the RSA-inspired accumulator, then they can compute the accumulated hashes by secure multiparty computation.) To verify that a claimed member did indeed belong to the group later, they present their identity and personal accumulated hash (or a zero-knowledge proof thereof); by accumulating the identity of the claimed member and checking it against the accumulated hash of the entire group, anyone can verify a member of the group.[1][2] With a dynamic accumulator scheme, it is additionally easy to add or remove members afterward.[2][4]

Cryptographic accumulators can also be used to construct other cryptographically secure data structures:

  • Barić and Pfitzmann show that one can construct fail-stop signatures with only constant space by exploiting the compression property.[2][3]
  • Goodrich et al. constructed a size-oblivious, efficient, dynamic authenticated dictionary (which allows untrusted directories to give cryptographically verifiable answers to membership queries).[2][8]
  • Papamanthou et al. constructed a cryptographically secure hash table, whose functionality can be authenticated when stored remotely.[9]

The concept has received renewed interest due to the Zerocoin add on to bitcoin, which employs cryptographic accumulators to eliminate trackable linkage in the bitcoin blockchain, which would make transactions anonymous and more private.[10][11][12] More concretely, to mint (create) a Zerocoin, one publishes a coin and a cryptographic commitment to a serial number with a secret random value (which all users will accept as long as it is correctly formatted); to spend (reclaim) a Zerocoin, one publishes the Zerocoin's serial number along with a non-interactive zero-knowledge proof that they know of some published commitment that relates to the claimed serial number, then claims the coin (which all users will accept as long as the NIZKP is valid and the serial number has not appeared before).[10][11] Since the initial proposal of Zerocoin, it has been succeeded by the Zerocash protocol and is currently being developed into Zcash, a digital currency based on Bitcoin's codebase.[13][14]

See also

edit

References

edit
  1. ^ a b c d e f g h Benaloh, Josh; de Mare, Michael (1994). "One-Way Accumulators: A Decentralized Alternative to Digital Signatures" (PDF). Advances in Cryptology — EUROCRYPT '93. Lecture Notes in Computer Science. Vol. 765. pp. 274–285. doi:10.1007/3-540-48285-7_24. ISBN 978-3-540-57600-6. Retrieved 3 May 2021.
  2. ^ a b c d e f g h i j k l m n o Fazio, Nelly; Nicolosi, Antonio (2002). "Cryptographic Accumulators: Definitions, Constructions and Applications" (PDF). Archived (PDF) from the original on 3 June 2006. Retrieved 30 January 2021.
  3. ^ a b c Barić, Niko; Pfitzmann, Birgit (1997). "Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees". In Fumy, Walter (ed.). Advances in Cryptology — EUROCRYPT '97. Lecture Notes in Computer Science. Vol. 1233. Berlin, Heidelberg: Springer. pp. 480–494. doi:10.1007/3-540-69053-0_33. ISBN 978-3-540-69053-5.
  4. ^ a b Camenisch, Jan; Lysyanskaya, Anna (2002). "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials". In Yung, Moti (ed.). Advances in Cryptology — CRYPTO 2002. Lecture Notes in Computer Science. Vol. 2442. Berlin, Heidelberg: Springer. pp. 61–76. doi:10.1007/3-540-45708-9_5. ISBN 978-3-540-45708-4.
  5. ^ Nyberg, Kaisa (1996). "Fast accumulated hashing". In Gollmann, Dieter (ed.). Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1039. Berlin, Heidelberg: Springer. pp. 83–87. doi:10.1007/3-540-60865-6_45. ISBN 978-3-540-49652-6.
  6. ^ Haber, Stuart; Stornetta, W. Scott (1991). "How to Time-Stamp a Digital Document". In Menezes, Alfred J.; Vanstone, Scott A. (eds.). Advances in Cryptology — CRYPT0' 90. Lecture Notes in Computer Science. Vol. 537. Berlin, Heidelberg: Springer. pp. 437–455. doi:10.1007/3-540-38424-3_32. ISBN 978-3-540-38424-3.
  7. ^ Benaloh, J.; de Mare, M. (August 1991). "Efficient Broadcast Time-Stamping". Microsoft. CiteSeerX 10.1.1.38.9199. MSR-TR 91-1.
  8. ^ Goodrich, Michael T.; Tamassia, Roberto; Hasić, Jasminka (11 November 2001). "An Efficient Dynamic and Distributed Cryptographic Accumulator" (PDF). Information Security. Lecture Notes in Computer Science. Vol. 2433. pp. 372–388. doi:10.1007/3-540-45811-5_29. ISBN 978-3-540-44270-7. Archived from the original on 13 March 2003.
  9. ^ Papamanthou, Charalampos; Tamassia, Roberto; Triandopoulos, Nikos (18 August 2009). "Cryptographic Accumulators for Authenticated Hash Tables". Cryptology ePrint Archive. CiteSeerX 10.1.1.214.7737.
  10. ^ a b Ian, Miers; Garman, Christina; Green, Matthew; Rubin, Aviel D. (2013). "Zerocoin: Anonymous Distributed E-Cash from Bitcoin" (PDF). 2013 IEEE Symposium on Security and Privacy. pp. 397–411. doi:10.1109/SP.2013.34. ISBN 978-0-7695-4977-4. S2CID 9194314. Retrieved 3 May 2021.
  11. ^ a b Green, Matthew (11 April 2013). "Zerocoin: making Bitcoin anonymous". A Few Thoughts on Cryptographic Engineering. Archived from the original on 21 May 2014. Retrieved 3 May 2021.
  12. ^ Zerocoin: Anonymous Distributed E-Cash from Bitcoin Archived 8 February 2014 at the Wayback Machine
  13. ^ "Zerocoin Project". zerocoin.org. Retrieved 4 May 2021.
  14. ^ "Privacy-protecting digital currency | Zcash". Zcash. Retrieved 4 May 2021.