on the impossibility of batch update for cryptographic accumulators
DESCRIPTION
Slides of the papeTRANSCRIPT
![Page 1: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/1.jpg)
On the Impossibility of Batch Update for
Cryptographic Accumulators
Philippe Camacho and Alejandro HeviaUniversity of Chile
![Page 2: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/2.jpg)
Certificate Authority
CABob
Bob
Bob Alice
![Page 3: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/3.jpg)
PKI
Bob
Bob
CRL/OSCP
? YES/NO
BobBob Alice
Certificate Authority
![Page 4: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/4.jpg)
?Insert/Delete
Owns a Set of valid certificates
X={x1,x2,…}
Bob Alice
CentralAuthority
![Page 5: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/5.jpg)
?INSERT/DELETE
Owns a Set X={x1,x2,…}
Bob Alice
CentralAuthority
![Page 6: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/6.jpg)
Central Authority
(PK,SK)
INSERT x Sign(x,SK)= σx
Replay Attack
Does x belong to X?
YES: σx
![Page 7: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/7.jpg)
Central Authority
(PK,SK)
Delete x
Replay Attack
Does x belong to X?
YES: σx
![Page 8: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/8.jpg)
ManagerAcc1, Acc2Acc1
Insert(x)
( x , )
Acc1, Acc2, Acc3
Verify( x , , Acc3) = YES
Witness
Bob Alice
![Page 9: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/9.jpg)
Manager
Delete(x)
Acc1, Acc2, Acc3, Acc4
Verify( x , , Acc4) = FAIL
OK
Bob Alice
![Page 10: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/10.jpg)
Manager
Insert(x)
( x , )
Acc1, Acc2, Acc3,…
Verify( x , , Acc3) = YES
Witness
Bob Alice
CryptographicAccumulator
![Page 11: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/11.jpg)
Main constructionsSecurity Note
[BeMa94] RSA + RO First definition
[BarPfi97] Strong RSA -
[CamLys02] Strong RSA First dynamic accumulator
[LLX07] Strong RSA First universal accumultor
[Ngu05] Pairings E-cash, ZK-Sets,…
[WWP08] eStrong RSAPaillier
Batch Update
[CHKO08] Collision-Resistant Hashing Untrusted Manager
[CKS09] Pairings Group multiplication
![Page 12: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/12.jpg)
Manager
Bob 1 Bob 2 Bob 3
x1 w1 x2 w2 x3 w3
Acc1Acc1, Acc2Acc1, Acc2, Acc3
![Page 13: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/13.jpg)
Problem: after each update of theaccumulated value it is necesarryto recompute all the witnesses.
![Page 14: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/14.jpg)
Delegate Witness Computation?
ConstructionsReplica
(Compute a single witness)
User (Verify)
[CL02] O(|X|) O(1)
[GTT09] O(|X|1/ε) O(ε)
[CHK08] O(log |X|) O(log |X|)
ManagerVerify(x,w,Acc)
![Page 15: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/15.jpg)
Manager…,Acc99, Acc100, Acc101,…, Acc200,…
(x1,w1,Acc100)( x2,w2,Acc100)( x6,w6,Acc100)
(x36,w36,Acc100)( x87,w87,Acc100)
(x1,w1,Acc100)( x20,w20,Acc100)( x69,w68,Acc100)( x64,w64,Acc100)
…
(x1,w1,Acc100)( x2,w2,Acc100)( x6,w6,Acc100)
….
Bob 42Bob 29Bob 1 Bob 2
Upd100,200
Batch Update[FN02]
![Page 16: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/16.jpg)
Manager…,Acc99, Acc100, Acc101,…, Acc200,…
(x1,w1’,Acc200)( x2,w2’,Acc200)( x6,w6’,Acc200)
(x36,w36’,Acc200)( x87,w87’,Acc200)
(x1,w1’,Acc200)( x20,w20’,Acc200)( x69,w68’,Acc200)( x64,w64’,Acc200)
…
(x1,w1’,Acc200)( x2,w2’,Acc200)( x6,w6’,Acc200)
….
Bob 42Bob 29Bob 1 Bob 2
Batch Update[FN02]
![Page 17: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/17.jpg)
Batch Update [FN02]
Trivial solution: UpdXi,Xj
= {list of all witnesses for Xj}
More interesting:|UpdXi,Xj
| = O(1)
![Page 18: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/18.jpg)
What happens with [CL02]?• PK=(n,g) with n=pq and g є Zn*
• AccØ := g mod n
• Insert(x,Acc) := Accx mod n /* x prime */
• Delete(x,Acc) := Acc1/x mod n
• WitGen(x,Acc) := Acc1/x mod n
• Verify(x,w,Acc): wx = Acc
• |UpdXi,Xj| = O(|{list of insertions / deletions}|)
?
![Page 19: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/19.jpg)
Syntax of B.U. Accumulators
Algorithm Returns Who runs it
KeyGen(1k) PK,SK,AccØ Manager
AddEle(x,AccX,SK) AccX {x} Manager
DelEle(x,AccX,SK) AccX\{x} Manager
WitGen(x,AccX,SK) Witness w relative to AccX Manager
Verify(x,w,AccX,PK) Returns Yes whether x є X User
UpdWitGen(X,X’,SK) UpdX,X’ for elements x є X X’ Manager
UpdWit(w,AccX,AccX’,UpdX,X’,PK) New witness w’ for x є X’ User
![Page 20: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/20.jpg)
Correctness
• DefinitionThe scheme is correct iff:
w := WitGen(x,AccX,SK) Verify(x,w,AccX,PK) = Yes
w := WitGen(x,AccX,SK)
UpdX,X’ := UpdWitGen(X,X’,SK)
w’ := WitGen(w,AccX,AccX’,UpdX,X’,PK)
Verify(x,w’,AccX’,PK) = Yes
![Page 21: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/21.jpg)
Manager
Security Model [CL02,WWP08]User
(Adversary) (Oracle)
Insert Request for xi
Acc
Delete Request for xj
Acc’
PK,AccØ
Witness Request for xi
w
Upd k,l
UpdateInfo Request from k to l
…
…
…
(x,w) such that w is valid but x є X
![Page 22: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/22.jpg)
Batch Update Construction [WWP08]
![Page 23: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/23.jpg)
Attack on [WWP08]
But x1 does not belong to X2!
User
X0 := Ø
Insert x1
Delete x1 X 1 := {x1}
Please send UpdX1,X2 X2 := Ø
UpdX1,X2
With UpdX1,X2 I can
update my witness wx1
Manager
![Page 24: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/24.jpg)
Batch Update is Impossible
• Theorem:Let Acc be a secure accumulator scheme with deterministic UpdWitand Verify algorithms.
For an update involving m delete operations in a set of N elements,the size of the update information UpdX,X' required by the algorithm
UpdWit is (m log(N/m)).
In particular if m=N/2 we have |UpdX,X'| = (m) = (N)
![Page 25: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/25.jpg)
X={x1,x2,…,xN} X={x1,x2,…,xN}
AccX , {w1,w2,…,wN} Compute AccX, {w1,w2,…,wN}
Delete Xd:={xi1
,xi2,…,xim
}X’ := X\Xd
AccX’ , UpdX,X’Compute
AccX’,UpdX,X’
Proof 1/3
User Manager
![Page 26: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/26.jpg)
Proof 2/3
User
X={x1,x2,…,xN}{w1,…,wN}AccX, AccX’, UpdX,X’
For each element xєX
w’ := UpdWit(w,AccX,AccX’,UpdX,X’)x w’ valid?
YES
NO
CASE 1
User can reconstruct the set Xd
CASE 1
If x is not in X’ => Scheme insecure
x still in X’
CASE 2
CASE 2
If x is in X’ => Scheme incorrect
x not in X’ anymore
![Page 27: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/27.jpg)
Proof 3/3
• There are subsets of m elements in a set of N elements
• We need log ≥ m log(N/m) bits to encode Xd
( )Nm
( )Nm
(See updated version at eprint soon for a detailed proof)
![Page 28: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/28.jpg)
Conclusion
• Batch Update is impossible.
• Batch Update for accumulators with few delete operations?
• Improve the lower bound in a factor of k.
![Page 29: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/29.jpg)
Thank you!
![Page 30: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/30.jpg)
Correction
• With negligible probability Bob could obtain a fake witness (and the scheme would still be secure)
=> The number of “good”subsets Xd is less than
( )N
m
![Page 31: On the Impossibility of Batch Update for Cryptographic Accumulators](https://reader031.vdocuments.net/reader031/viewer/2022020207/558e67dc1a28ab7c218b4765/html5/thumbnails/31.jpg)
A more careful analysis
• Pr[Xd leads to a fake witness] ≤ ε(k)
=> #”Good Xd sets” ≥ (1- ε(k))
=> |UpdX,X'| ≥ m log(M/m) + log(1- ε(k))
=> |UpdX,X'| ≥ m log(M/m) -1
=> |UpdX,X'| = ( m log(M/m))
( )Nm