SlideShare a Scribd company logo

Strong Accumulators From Collision-Resistant Hashing

Philippe Camacho, Ph.D.
Philippe Camacho, Ph.D.

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

Technology
1 of 52
Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - Taiwan Philippe Camacho (University of Chile) Alejandro Hevia (University of Chile) Marcos Kiwi (University of Chile) Roberto Opazo (CEO Acepta.com)
Outline  Notion of accumulator  Motivation  e-Invoice Factoring  Our construction  Conclusion
Notion of accumulator  Problem A set X.  Given an element x we wish to prove that this element belongs or not to X.  Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
Notion of accumulator  Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x.  Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
Applications  Time-stamping [BeMa94]  Certificate Revocation List [LLX07]  Anonymous credentials [CamLys02]  E-Cash [AWSM07]  Broadcast Encryption [GeRa04] …
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
The Problem  A malicious provider could send the same invoice to various Factoring Entities.  Then he leaves to a far away country with all the money.  Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
Caveat  This solution is quite simple.  However  Trusted Factoring Authority is needed.  Can we remove this requirement?
Properties  Dynamic  Allows insertion/deletion of elements.  Universal  Allows proofs of membership and nonmembership.  Strong  No need to trust in the Accumulator Manager.
Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update [CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
Notation  H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions.  x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings.  -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞  || denotes the concatenation operator.
Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: O(ln(n)) Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
Ideas  How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
Public Data Structure  Called “Memory”.  Compute efficiently the accumulated value and the witnesses.  In our construction the Memory will be a binary tree.
How to insert elements? (-∞,∞) X=Ø, next: x1
How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
How to compute the accumulated value? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
Security  Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2.  Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
Conclusion & Open Problem  First dynamic, universal, strong accumulator.  Simple.  Security  Existence of collision-resistant hash functions.  Solves the e-Invoice Factoring Problem.  Less efficient than other constructions  Size of witness in O(ln(n)).  Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
Thank you!
Invoice Factoring using accumulator  We need a secure broadcast channel  Ifa message m is published, every participant sees the same m.  Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
Invoice Factoring using accumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
Invoice Factoring using accumulator  Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
Distributed solutions?  Complex to implement  Hard to make them robust  High bandwith communication  Need to be online – synchronization problems  That’s why we focus on a centralized solution.
Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wx Belongs(Acc,wx) = True  x є X If wx is not valid Belongs returns ┴.
Update of the accumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wup CheckUpdate(Accbefore,Accafter,wup)
How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
Bibliography  [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992  [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994  [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997  [CGS97] A secure and optimally efficient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997  [Koch98] On certificate revocation and validation P.C. Kocher 1998  [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998  [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999  [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001  [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002  [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004  [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007  [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007  [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008  [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008

Recommended

TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.ATRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.Aopereira2705
 
Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldPhilippe Camacho, Ph.D.
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesPhilippe Camacho, Ph.D.
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin SecurityPhilippe Camacho, Ph.D.
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Philippe Camacho, Ph.D.
 
Bitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasBitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasPhilippe Camacho, Ph.D.
 
No más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescateNo más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescatePhilippe Camacho, Ph.D.
 

Recommended

TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.ATRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.Aopereira2705
 
Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldPhilippe Camacho, Ph.D.
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesPhilippe Camacho, Ph.D.
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin SecurityPhilippe Camacho, Ph.D.
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Philippe Camacho, Ph.D.
 
Bitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasBitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasPhilippe Camacho, Ph.D.
 
No más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescateNo más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescatePhilippe Camacho, Ph.D.
 
Protocols for Provable Solvency
Protocols for Provable SolvencyProtocols for Provable Solvency
Protocols for Provable SolvencyPhilippe Camacho, Ph.D.
 
Más allá del dinero: Bitcoin
Más allá del dinero: BitcoinMás allá del dinero: Bitcoin
Más allá del dinero: BitcoinPhilippe Camacho, Ph.D.
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a BitcoinPhilippe Camacho, Ph.D.
 
How to explain bitcoin to your mother
How to explain bitcoin to your motherHow to explain bitcoin to your mother
How to explain bitcoin to your motherPhilippe Camacho, Ph.D.
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.
 
Cuidatusbitcoins
CuidatusbitcoinsCuidatusbitcoins
CuidatusbitcoinsPhilippe Camacho, Ph.D.
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyPhilippe Camacho, Ph.D.
 
Foaf+ssl
Foaf+sslFoaf+ssl
Foaf+sslPhilippe Camacho, Ph.D.
 
Agilidad al rescate
Agilidad al rescateAgilidad al rescate
Agilidad al rescatePhilippe Camacho, Ph.D.
 
XPDay2009: Nameaction
XPDay2009: NameactionXPDay2009: Nameaction
XPDay2009: NameactionPhilippe Camacho, Ph.D.
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 
Agile daychile2010
Agile daychile2010Agile daychile2010
Agile daychile2010Philippe Camacho, Ph.D.
 
Agiles2010
Agiles2010Agiles2010
Agiles2010Philippe Camacho, Ph.D.
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

More Related Content

More from Philippe Camacho, Ph.D.

Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyPhilippe Camacho, Ph.D.
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.
 

More from Philippe Camacho, Ph.D. (15)

Protocols for Provable Solvency
Protocols for Provable SolvencyProtocols for Provable Solvency
Protocols for Provable Solvency
 
Más allá del dinero: Bitcoin
Más allá del dinero: BitcoinMás allá del dinero: Bitcoin
Más allá del dinero: Bitcoin
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a Bitcoin
 
How to explain bitcoin to your mother
How to explain bitcoin to your motherHow to explain bitcoin to your mother
How to explain bitcoin to your mother
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
 
Cuidatusbitcoins
CuidatusbitcoinsCuidatusbitcoins
Cuidatusbitcoins
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third Party
 
Foaf+ssl
Foaf+sslFoaf+ssl
Foaf+ssl
 
Agilidad al rescate
Agilidad al rescateAgilidad al rescate
Agilidad al rescate
 
XPDay2009: Nameaction
XPDay2009: NameactionXPDay2009: Nameaction
XPDay2009: Nameaction
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic Accumulators
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed Trees
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
Agile daychile2010
Agile daychile2010Agile daychile2010
Agile daychile2010
 
Agiles2010
Agiles2010Agiles2010
Agiles2010
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Strong Accumulators From Collision-Resistant Hashing

  • 1. Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - Taiwan Philippe Camacho (University of Chile) Alejandro Hevia (University of Chile) Marcos Kiwi (University of Chile) Roberto Opazo (CEO Acepta.com)
  • 2. Outline  Notion of accumulator  Motivation  e-Invoice Factoring  Our construction  Conclusion
  • 3. Notion of accumulator  Problem A set X.  Given an element x we wish to prove that this element belongs or not to X.  Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
  • 4. Notion of accumulator  Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x.  Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
  • 5. Applications  Time-stamping [BeMa94]  Certificate Revocation List [LLX07]  Anonymous credentials [CamLys02]  E-Cash [AWSM07]  Broadcast Encryption [GeRa04] …
  • 6. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
  • 7. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
  • 8. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 9. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 10. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 11. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 12. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 13. The Problem  A malicious provider could send the same invoice to various Factoring Entities.  Then he leaves to a far away country with all the money.  Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
  • 14. Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 15. Caveat  This solution is quite simple.  However  Trusted Factoring Authority is needed.  Can we remove this requirement?
  • 16. Properties  Dynamic  Allows insertion/deletion of elements.  Universal  Allows proofs of membership and nonmembership.  Strong  No need to trust in the Accumulator Manager.
  • 17. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
  • 18. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update [CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
  • 19. Notation  H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions.  x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings.  -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞  || denotes the concatenation operator.
  • 20. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 21. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: O(ln(n)) Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 22. Ideas  How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
  • 23. Public Data Structure  Called “Memory”.  Compute efficiently the accumulated value and the witnesses.  In our construction the Memory will be a binary tree.
  • 24. How to insert elements? (-∞,∞) X=Ø, next: x1
  • 25. How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
  • 26. How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
  • 27. How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
  • 28. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
  • 29. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
  • 30. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
  • 31. How to compute the accumulated value? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
  • 32. How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
  • 33. How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
  • 34. Security  Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2.  Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
  • 35. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 36. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 37. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 38. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 39. Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
  • 40. Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
  • 41. Conclusion & Open Problem  First dynamic, universal, strong accumulator.  Simple.  Security  Existence of collision-resistant hash functions.  Solves the e-Invoice Factoring Problem.  Less efficient than other constructions  Size of witness in O(ln(n)).  Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
  • 43. Invoice Factoring using accumulator  We need a secure broadcast channel  Ifa message m is published, every participant sees the same m.  Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
  • 44. Invoice Factoring using accumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 45. Invoice Factoring using accumulator  Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
  • 46. Distributed solutions?  Complex to implement  Hard to make them robust  High bandwith communication  Need to be online – synchronization problems  That’s why we focus on a centralized solution.
  • 47. Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wx Belongs(Acc,wx) = True  x є X If wx is not valid Belongs returns ┴.
  • 48. Update of the accumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wup CheckUpdate(Accbefore,Accafter,wup)
  • 49. How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
  • 50. How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
  • 51. How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
  • 52. Bibliography  [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992  [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994  [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997  [CGS97] A secure and optimally efficient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997  [Koch98] On certificate revocation and validation P.C. Kocher 1998  [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998  [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999  [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001  [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002  [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004  [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007  [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007  [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008  [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008