Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Transcription

1 S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology

2 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2

3 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3

4 Static Accumulators Finite set Accumulator 4

5 Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4

6 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5

7 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5

8 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5

9 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5

10 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6

11 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6

12 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7

13 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7

14 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8

15 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8

16 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8

17 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8

18 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9

19 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10

20 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10

21 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10

22 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11

23 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11

24 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11

25 Security Correctness Collision freeness Undeniability Indistinguishability 12

26 Security - Collision Freeness Experiment Exp cf κ ( ): 13

27 Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13

28 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14

29 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14

30 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15

31 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15

32 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16

33 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16

34 Security - Indistinguishability II Experiment Exp ind κ ( ): 17

35 Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17

36 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18

37 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18

38 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18

39 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18

40 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19

41 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20

42 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20

43 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20

44 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21

45 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21

46 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21

47 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded

48 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22

49 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23

50 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23

51 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23

52 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23

53 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24

54 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24

55 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24

56 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24

57 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25

58 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25

59 Conclusion Unified model for accumulators Covering all features existing to date 26

60 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26

61 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26

62 Thank you. Extended version:

63 References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3): , [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages ,