On the Impossibility of Batch Update for Cryptographic Accumulators

Transcription

1 for Philippe Camacho Alejandro Hevia FMCrypto Workshop: Formal Methods in Cryptography University of Chile March 24, 2010

2 Introduction This work is about an impossibility result... [FN02] Open problem: Can we build accumulators with? [WWP07, WWP08] Construction for accumulators with. Problem: the construction is not secure. 8 papers(without ours) cite [WWP07], two of them build upon [WWP07]. [CH09](our work): is impossible!

3 Notion of Cryptographic Accumulator Problem A set X Given an element x: prove/verify x X Let X = {x 1,..., x n } X will be represented by a short value Acc X Verify(x, w, Acc X ): returns Yes whether x X Vocabulary Acc X is called the accumulated value for X w is called a witness

4 Participants Introduction Manager Computes setup values Computes the accumulated value Acc Computes the witness w x for a given x User Ask for element insertion or deletion to the Manager Ask for witness computation to the Manager Check whether x X using Acc, w x and x

5 Applications Introduction Time-stamping [BdM94] Anonymous Credentials [CL02] Broadcast Encryption [GR04] Certificate Revocation List [LLX07]...

6 Some properties Dynamic / Static Weak / Strong Universal (non-membership proofs) In our case we study dynamic accumulators that are dynamic, not strong and not universal.

7 Operations (1/2) Algorithm Returns Run by KeyGen(1 k ) (PK, SK), Acc Manager AddEle(x, Acc X, SK) Acc X {x} Manager DelEle(x, Acc X, SK) Acc X \{x} Manager WitGen(x, Acc X, SK) witness w for x relative to Acc X Manager Verify(x, w, Acc X, PK) returns Yes whether x X User

8 Operations (2/2) Algorithm Returns Run by UpdWitGen(X, X, SK) Upd X,X for the elements Manager x X X. UpdWit(w, Upd X,X, PK) new witness w for x X User

9 Security Model ([CL02]) Pr [ Verify(x, w, Acc X, PK) = Yes x / X ] = neg(k)

10 The Property ([FN02]) Definition ( for accumulator schemes). Let Acc be an accumulator scheme. Acc has the property if for every pair (X, X ) we have Upd X,X = O(k) where k is the security parameter. In other words, the information needed to update all the user s witnesses should have size independent w.r.t the cardinality of the sets X, X.

11 Problem with the construction of [WWP07] Description of the Attack X 0 = Insert x 1. X 1 = {x 1 } Delete x 1. X 2 = Ask for the update information Upd X1,X 2 With Upd X1,X 2 But x 1 / X 2! I can update my witness w x1

12 Our result Introduction Theorem For an update involving m delete operations in a set of N elements, the size of the information Upd X,X required by the algorithm UpdWit while keeping the dynamic accumulator secure is Ω(m log N m ). In particular if m = N 2 with N even, we have Upd X,X = Ω(m). Corollary Cryptographic accumulators with do not exist. Proof of Corollary. X = p(k) where p is a polynomial. Then Upd X,X = Ω( X ) = Ω(p(k)) = ω(k).

13 Proof of the Theorem Proof. X = {x 1,..., x N } The Manager deletes m elements from X New set X = X \ X d where X d = {x i1, x i2,..., x im } The Manager sends Upd X,X to the User The user runs UpdWit on every witness w x for x X w x = UpdWit(wx, Upd X,X, PK) is valid x X else x / X So only with the information contained in Upd X,X the User can rebuild X d How much information is needed to code X d? ( log( N m) ) ( N m) ( m N )m Upd X,X m log N m

14 Thank you!

15 Josh C Benaloh and Michael de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Lecture Notes in Computer Science, 765:274 -??, Philippe Camacho and Alejandro Hevia. On the impossiblity of batch update for cryptographic accumulators. Technical report, Jan Camenisch and Anna Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. Lecture Notes In Computer Science; Vol. 2442, Nelly Fazio and Antonio Nicolisi. : Definitions, Constructions and Applications. Technical report, Craig Gentry and Zulfikar Ramzan. RSA Accumulator Based Broadcast Encryption. In Information Security, pages Jiangtao Li, Ninghui Li, and Rui Xue. Universal Accumulators with Efficient Nonmembership Proofs. In Applied Cryptography and Network Security, pages Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. A New Dynamic Accumulator for s. In Information and Communications Security, pages Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. Improvement of a Dynamic Accumulator at ICICS 07 and Its Application in Multi-user Keyword-Based Retrieval on Encrypted Data.

16 In Asia-Pacific Conference on Services Computing IEEE, volume 0, pages , Washington, DC, USA, IEEE Computer Society.