Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials
We introduce the notion of a dynamic accumulator. An accumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zero-knowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.
KeywordsDynamic accumulators anonymity certificate revocation group signatures credential systems identity escrow
- 1.G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Advances in Cryptology — CRYPTO 2000, vol. 1880 of LNCS, pp. 255–270. Springer Verlag, 2000.Google Scholar
- 2.G. Ateniese and G. Tsudik. Quasi-efficient revocation of group signatures. http://www.eprint.iacr.org/2001/101, 2001.
- 3.N. Barić and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In EUROCRYPT’ 97, vol. 1233 of LNCS, pp. 480–494.Google Scholar
- 4.J. Benaloh and M. de Mare. One-way accumulators: A decentralized alternative to digital signatures. In EUROCRYPT’ 93, vol. 765 of LNCS, pp. 274–285.Google Scholar
- 5.S. Brands. Rethinking Public Key Infrastructure and Digital Certificates — Building in Privacy. PhD thesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands, 1999.Google Scholar
- 6.E. Bresson and J. Stern. Group signatures with efficient revocation. In Proceedings of PKC2001, vol. 1992 of LNCS, pp. 190–206. Springer, 2001.Google Scholar
- 7.J. Camenisch. Efficient and generalized group signatures. In Advances in Cryptology — EUROCRYPT’ 97, vol. 1233 of LNCS, pp. 465–479.Google Scholar
- 8.J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. http://www.eprint.iacr.org/2001, 2001.
- 9.J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In Advances in Cryptology — EUROCRYPT 2001, vol. 2045 of LNCS, pp. 93–118.Google Scholar
- 10.J. Camenisch and A. Lysyanskaya. An identity escrow scheme with appointed verifiers. In CRYPTO 2001, vol. 2139 of LNCS, pp. 388–407.Google Scholar
- 11.J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In Advances in Cryptology — ASIACRYPT’ 98, vol. 1514 of LNCS, pp. 160–174.Google Scholar
- 12.J. Camenisch and M. Michels. Separability and efficiency for generic group signature schemes. In CRYPTO’ 99, vol. 1666 of LNCS, pp. 413–430.Google Scholar
- 13.J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Advances in Cryptology — CRYPTO’ 97, vol. 1296 of LNCS, pp. 410–424, 1997.Google Scholar
- 15.L. Chen and T. P. Pedersen. New group signature schemes. In Advances in Cryptology — EUROCRYPT’ 94, vol. 950 of LNCS, pp. 171–181, 1995.Google Scholar
- 16.R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology — CRYPTO’ 98, vol. 1642 of LNCS, pp. 13–25, Berlin, 1998. Springer Verlag.Google Scholar
- 17.I. Damgøard and E. Fujisaki. An integer commitment scheme based on groups with hidden order. http://www.eprint.iacr.org/2001/064, 2001.
- 18.E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In CRYPTO’ 97, vol. 1294 of LNCS, pp. 16–30.Google Scholar
- 19.R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In EUROCRYPT’ 99, vol. 1592 of LNCS, pp. 123–139.Google Scholar
- 20.O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology — CRYPTO’ 86, vol. 263 of LNCS, pp. 171–185, 1987.Google Scholar
- 21.J. Kilian and E. Petrank. Identity escrow. In Advances in Cryptology — CRYPTO’ 98, vol. 1642 of LNCS, pp. 169–185, Berlin, 1998. Springer Verlag.Google Scholar
- 23.A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Selected Areas in Cryptography, vol. 1758 of LNCS. Springer Verlag, 1999.Google Scholar
- 24.B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In Proc. 7th ACM CCS, pp. 245–254. ACM press, nov 2000.Google Scholar
- 25.T. Sander, A. Ta-Shma, and M. Yung. Blind, auditable membership proofs. In Financial Cryptography’ 00, vol. 1962 of LNCS, pp. 53–71, 2000.Google Scholar
- 27.D. X. Song. Practical forward secure group signature schemes. In Proc. 8th ACM CCS, pp. 225–234. ACM press, nov 2001.Google Scholar