S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology www.iaik.tugraz.at
Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2
Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3
Static Accumulators Finite set Accumulator 4
Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4
A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5
A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5
A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5
A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5
Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6
Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6
Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7
Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7
Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8
Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8
Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8
Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8
Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9
Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10
Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10
Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10
Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11
Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11
Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11
Security Correctness Collision freeness Undeniability Indistinguishability 12
Security - Collision Freeness Experiment Exp cf κ ( ): 13
Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13
Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14
Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14
Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15
Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15
Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16
Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16
Security - Indistinguishability II Experiment Exp ind κ ( ): 17
Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17
Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18
Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18
Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18
Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18
Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19
Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20
Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20
Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20
Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21
Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21
Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21
Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded
Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22
Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23
Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23
Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23
Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23
Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24
Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24
Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24
Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24
Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25
Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25
Conclusion Unified model for accumulators Covering all features existing to date 26
Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26
Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26
Thank you. david.derler@iaik.tugraz.at Extended version: http://eprint.iacr.org/2015/087
References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3):273 296, 2002. [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages 275 292, 2005. 28