Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
×

# Strong Accumulators From Collision-Resistant Hashing

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here

### Strong Accumulators From Collision-Resistant Hashing

1. 1. Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - TaiwanPhilippe Camacho (University of Chile)Alejandro Hevia (University of Chile)Marcos Kiwi (University of Chile)Roberto Opazo (CEO Acepta.com)
2. 2. Outline Notion of accumulator Motivation  e-Invoice Factoring Our construction Conclusion
3. 3. Notion of accumulator Problem A set X.  Given an element x we wish to prove that this element belongs or not to X. Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
4. 4. Notion of accumulator Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x. Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
5. 5. Applications Time-stamping [BeMa94] Certificate Revocation List [LLX07] Anonymous credentials [CamLys02] E-Cash [AWSM07] Broadcast Encryption [GeRa04]…
6. 6. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
7. 7. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
8. 8. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
9. 9. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
10. 10. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
11. 11. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
12. 12. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
13. 13. The Problem A malicious provider could send the same invoice to various Factoring Entities. Then he leaves to a far away country with all the money. Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
14. 14. Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
15. 15. Caveat This solution is quite simple. However  Trusted Factoring Authority is needed. Can we remove this requirement?
16. 16. Properties Dynamic  Allows insertion/deletion of elements. Universal  Allows proofs of membership and nonmembership. Strong  No need to trust in the Accumulator Manager.
17. 17. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
18. 18. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update[CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
19. 19. Notation H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions. x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings. -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞ || denotes the concatenation operator.
20. 20. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value:Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
21. 21. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value: O(ln(n))Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
22. 22. Ideas How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
23. 23. Public Data Structure Called “Memory”. Compute efficiently the accumulated value and the witnesses. In our construction the Memory will be a binary tree.
24. 24. How to insert elements? (-∞,∞) X=Ø, next: x1
25. 25. How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
26. 26. How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
27. 27. How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
28. 28. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
29. 29. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
30. 30. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
31. 31. How to compute the accumulatedvalue? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
32. 32. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
33. 33. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
34. 34. Security Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2. Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
35. 35. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
36. 36. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
37. 37. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
38. 38. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
39. 39. Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
40. 40. Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
41. 41. Conclusion & Open Problem First dynamic, universal, strong accumulator. Simple. Security  Existence of collision-resistant hash functions. Solves the e-Invoice Factoring Problem. Less efficient than other constructions  Size of witness in O(ln(n)). Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
42. 42. Thank you!
43. 43. Invoice Factoring usingaccumulator We need a secure broadcast channel  Ifa message m is published, every participant sees the same m. Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
44. 44. Invoice Factoring usingaccumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
45. 45. Invoice Factoring usingaccumulator Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
46. 46. Distributed solutions? Complex to implement Hard to make them robust High bandwith communication Need to be online – synchronization problems That’s why we focus on a centralized solution.
47. 47. Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wxBelongs(Acc,wx) = True  x є XIf wx is not valid Belongs returns ┴.
48. 48. Update of theaccumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wupCheckUpdate(Accbefore,Accafter,wup)
49. 49. How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
50. 50. How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
51. 51. How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
52. 52. Bibliography [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992 [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994 [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997 [CGS97] A secure and optimally efﬁcient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997 [Koch98] On certiﬁcate revocation and validation P.C. Kocher 1998 [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998 [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999 [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001 [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002 [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004 [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007 [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007 [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008 [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008