On the Impossibility of Batch Update for Cryptographic Accumulators. Philippe Camacho and Alejandro Hevia University of Chile

Transcription

1 On the Impossibility of Batch Update for Cryptographic Accumulators Philippe Camacho and Alejandro Hevia University of Chile

2 Certificate Authority Bob CA Bob Bob Alice

3 Certificate Authority CRL/OSCP Bob PKI Bob YES/NO Bob Bob Alice

4 Central Owns a Set of valid certificates X={x 1,x 2, } Authority Insert/ Delete Bob Alice

5 Central Owns a Set X={x 1,x 2, } Authority INSERT/ DELETE Bob Alice

6 Replay Attack Central Authority (PK,SK) INSERT x Sign(x,SK)= σ x YES: σ x Does x belong to X?

7 Replay Attack Central Authority (PK,SK) Delete x YES: σ x Does x belong to X?

8 Manager Acc 1, Acc 2, Acc 3 Insert(x) Witness ( x, ) Bob Verify( x, Alice, Acc 3 ) = YES

9 Manager Acc 1, Acc 2, Acc 3, Acc4 Delete(x) OK Bob Verify( x, Alice, Acc 4 ) = FAIL

10 Manager Acc 1, Acc 2, Acc 3, Cryptographic Insert(x) Accumulator Witness ( x, ) Bob Verify( x, Alice, Acc 3 ) = YES

11 Main constructions Security Note [BeMa94] RSA + RO First definition [BarPfi97] Strong RSA - [CamLys02] [LLX07] Strong RSA Strong RSA First dynamic accumulator First universal accumultor [Ngu05] Pairings E-cash, ZK-Sets, [WWP08] estrong RSA Paillier Batch Update [CHKO08] Collision-Resistant Hashing Untrusted Manager [CKS09] Pairings Group multiplication

12 Manager Acc 1, Acc 2, Acc 3 x 1 w 1 x 2 w 2 x 3 w 3 Bob 1 Bob 2 Bob 3

13 Problem: after each update of the accumulated value it is necesarry to recompute all the witnesses.

14 Delegate Witness Computation? Manager Verify(x,w,Acc) Constructions Replica (Compute a single witness) User (Verify) [CL02] O( X ) O(1) [GTT09] O( X 1/ε ) O(ε) [CHK08] O(log X ) O(log X )

15 Batch Update [FN02] Manager,Acc 99, Acc 100, Acc 101,, Acc 200, Upd 100,200 Bob 1 Bob 2 Bob 29 Bob 42 (x 1,w 1,Acc 100 ) ( x 2,w 2,Acc 100 ) ( x 6,w 6,Acc 100 ) (x 36,w 36,Acc 100 ) ( x 87,w 87,Acc 100 ) (x 1,w 1,Acc 100 ) ( x 20,w 20,Acc 100 ) ( x 69,w 68,Acc 100 ) ( x 64,w 64,Acc 100 ) (x 1,w 1,Acc 100 ) ( x 2,w 2,Acc 100 ) ( x 6,w 6,Acc 100 ).

16 Batch Update [FN02] Manager,Acc 99, Acc 100, Acc 101,, Acc 200, Bob 1 Bob 2 Bob 29 Bob 42 (x 1,w 1,Acc 200 ) ( x 2,w 2,Acc 200 ) ( x 6,w 6,Acc 200 ) (x 36,w 36,Acc 200 ) ( x 87,w 87,Acc 200 ) (x 1,w 1,Acc 200 ) ( x 20,w 20,Acc 200 ) ( x 69,w 68,Acc 200 ) ( x 64,w 64,Acc 200 ) (x 1,w 1,Acc 200 ) ( x 2,w 2,Acc 200 ) ( x 6,w 6,Acc 200 ).

17 Batch Update [FN02] Trivial solution: Upd X i,xj = {list of all witnesses for X j} More interesting: Upd X i,xj = O(1)

18 What happens with [CL02]? PK=(n,g) with n=pq and g є Z n * Acc Ø := g mod n Insert(x,Acc) := Acc x mod n /* x prime */ Delete(x,Acc) := Acc 1/x mod n WitGen(x,Acc) := Acc 1/x mod n Verify(x,w,Acc): w x = Acc? Upd X = O( {list of insertions / deletions} ) i,xj

19 Syntax of B.U. Accumulators Algorithm Returns Who runs it KeyGen(1 k ) PK,SK,Acc Ø Manager AddEle(x,Acc X,SK) Acc X {x} Manager DelEle(x,Acc X,SK) Acc X\{x} Manager WitGen(x,Acc X,SK) Witness w relative to Acc X Manager Verify(x,w,Acc X,PK) Returns Yes whether x є X User UpdWitGen(X,X,SK) Upd X,X for elements x є X X Manager UpdWit(w,Acc X,Acc X,Upd X,X,PK) New witness w for x є X User

20 Correctness Definition The scheme is correct iff: w := WitGen(x,Acc X,SK) Verify(x,w,Acc X,PK) = Yes w := WitGen(x,Acc X,SK) Upd X,X := UpdWitGen(X,X,SK) Verify(x,w,Acc X,PK) = Yes w := WitGen(w,Acc X,Acc X,Upd X,X,PK)

21 Security Model [CL02,WWP08] PK,AccØ Insert Request for x i (Adversary) Acc Delete Request for x j Acc (Oracle) Witness Request for x i w UpdateInfo Request from k to l Upd k,l (x,w) such that w is valid but x є X

22 Batch Update Construction [WWP08]

23 Attack on [WWP08] User Manager X 0 := Ø Insert x 1 Delete x 1 X 1 := {x 1 } Please send Upd X 1,X2 X 2 := Ø Upd X 1,X2 With Upd X 1,X2 I can update my witness w x1 But x 1 does not belong to X 2!

24 Batch Update is Impossible Theorem: Let Acc be a secure accumulator scheme with deterministic UpdWit and Verify algorithms. For an update involving m delete operations in a set of N elements, the size of the update information Upd X,X' required by the algorithm UpdWit is (m log(n/m)). In particular if m=n/2 we have Upd X,X' = (m) = (N)

25 Proof 1/3 User Manager X={x 1,x 2,,x N } X={x 1,x 2,,x N } Acc X, {w 1,w 2,,w N } Compute Acc X, {w 1,w 2,,w N } Delete X d :={x i 1,x i2,,x im } X := X\X d Acc X, Upd X,X Compute Acc X, Upd X,X

26 Proof 2/3 CASE 1 CASE 2 User X={x 1,x 2,,x N } {w 1,,w N } Acc X, Acc X, Upd X,X If x is not in X => Scheme insecure x still in X If x is in X => Scheme incorrect x not in X anymore YES CASE 1 For each element xєx x w := UpdWit(w,Acc X,Acc X,Upd X,X ) w valid? NO User can reconstruct the set X d CASE 2

27 Proof 3/3 ( N ) m There are of N elements subsets of m elements in a set ( N ) m to encode X d We need log m log(n/m) bits (See updated version at eprint soon for a detailed proof)

28 Conclusion Batch Update is impossible. Batch Update for accumulators with few delete operations? Improve the lower bound in a factor of k.

29 Thank you!

30 Correction With negligible probability Bob could obtain a fake witness (and the scheme would still be secure) => The number of good subsets X d is less than ( N ) m

31 A more careful analysis Pr[X d leads to a fake witness] ε(k) ( N ) => # Good X d sets m (1- ε(k)) => Upd X,X' m log(m/m) + log(1- ε(k)) => Upd X,X' m log(m/m) -1 => Upd X,X' = ( m log(m/m))