Revisiting Cryptographic Accumulators, Additional Properties and Relations to Other Primitives
Cryptographic accumulators allow to accumulate a finite set of values into a single succinct accumulator. For every accumulated value, one can efficiently compute a witness, which certifies its membership in the accumulator. However, it is computationally infeasible to find a witness for any non-accumulated value. Since their introduction, various accumulator schemes for numerous practical applications and with different features have been proposed. Unfortunately, to date there is no unifying model capturing all existing features. Such a model can turn out to be valuable as it allows to use accumulators in a black-box fashion.
To this end, we propose a unified formal model for (randomized) cryptographic accumulators which covers static and dynamic accumulators, their universal features and includes the notions of undeniability and indistinguishability. Additionally, we provide an exhaustive classification of all existing schemes. In doing so, it turns out that most accumulators are distinguishable. Fortunately, a simple, light-weight generic transformation allows to make many existing dynamic accumulator schemes indistinguishable. As this transformation, however, comes at the cost of reduced collision freeness, we additionally propose the first indistinguishable scheme that does not suffer from this shortcoming. Finally, we employ our unified model for presenting a black-box construction of commitments from indistinguishable accumulators as well as a black-box construction of indistinguishable, undeniable universal accumulators from zero-knowledge sets. Latter yields the first universal accumulator construction that provides indistinguishability.
Unable to display preview. Download preview PDF.
- 7.Buldas, A., Laud, P., Lipmaa, H.: Accountable certificate management using undeniable attestations. In: ACM CCS, pp. 9–17. ACM (2000)Google Scholar
- 8.Buldas, A., Laud, P., Lipmaa, H.: Eliminating Counterevidence with Applications to Accountable Certificate Management. Journal of Computer Security 10 (2002)Google Scholar
- 16.Damgård, I., Triandopoulos, N.: Supporting Non-membership Proofs with Bilinear-map Accumulators. Cryptology ePrint Archive, Report 2008/538 (2008). http://eprint.iacr.org/2008/538
- 17.de Meer, H., Liedel, M., Pöhls, H.C., Posegga, J.: Indistinguishability of One-Way Accumulators. Technical Report MIP-1210, Faculty of Computer Science and Mathematics (FIM), University of Passau (2012)Google Scholar
- 20.Fazio, N., Nicolisi, A.: Cryptographic Accumulators: Definitions. Constructions and Applications, Technical report (2002)Google Scholar
- 21.Ghosh, E., Ohrimenko, O., Tamassia, R.: Verifiable Member and Order Queries on a List in Zero-Knowledge. Cryptology ePrint Archive, Report 2014/632 (2014). http://eprint.iacr.org/2014/632
- 27.Micali, S., Rabin, M.O., Kilian, J.: Zero-knowledge sets. In: FOCS, pp. 80–91 (2003)Google Scholar
- 28.Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-cash from bitcoin. In: IEEE Symposium on Security and Privacy, pp. 397–411. IEEE (2013)Google Scholar
- 30.Nyberg, K.: Commutativity in cryptography. In: 1st International Trier Conference in Functional Analysis. Walter Gruyter & Co (1996)Google Scholar
- 32.Peng, K., Bao, F.: Vulnerability of a non-membership proof scheme. In: SECRYPT, pp. 1–4, July 2010Google Scholar
- 33.Pöhls, H.C., Peters, S., Samelin, K., Posegga, J., de Meer, H.: Malleable signatures for resource constrained platforms. In: Cavallaro, L., Gollmann, D. (eds.) WISTP 2013. LNCS, vol. 7886, pp. 18–33. Springer, Heidelberg (2013) Google Scholar