On the Impossibility of Batch Update for Cryptographic Accumulators

435 views
362 views

Published on

Slides of the pape

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
435
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

On the Impossibility of Batch Update for Cryptographic Accumulators

  1. 1. On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho and Alejandro HeviaUniversity of Chile
  2. 2. Certificate Authority Bob CA BobBob Alice
  3. 3. Certificate CRL/OSCP Authority PKI Bob YES/NO Bob BobBob Alice
  4. 4. Owns a Set of valid certificates Central X={x1,x2,…} AuthorityInsert/Delete Bob Alice
  5. 5. Owns a Set Central X={x1,x2,…} AuthorityINSERT/DELETE Bob Alice
  6. 6. Replay Attack INSERT x Central Sign(x,SK)= σx YES: σxAuthority (PK,SK) Does x belong to X?
  7. 7. Replay Attack Central Delete x YES: σxAuthority (PK,SK) Does x belong to X?
  8. 8. Manager Acc1, Acc2, Acc3Insert(x) Witness ( x , ) Bob Alice Verify( x , , Acc3) = YES
  9. 9. Manager Acc1, Acc2, Acc3, Acc4Delete(x) OKBob Alice Verify( x , , Acc4) = FAIL
  10. 10. Manager Acc1, Acc2, Acc3,…CryptographicInsert(x)Accumulator Witness ( x , ) Bob Alice Verify( x , , Acc3) = YES
  11. 11. Main constructions Security Note[BeMa94] RSA + RO First definition[BarPfi97] Strong RSA - First dynamic[CamLys02] Strong RSA accumulator First universal [LLX07] Strong RSA accumultor [Ngu05] Pairings E-cash, ZK-Sets,… eStrong RSA[WWP08] Batch Update Paillier[CHKO08] Collision-Resistant Hashing Untrusted Manager [CKS09] Pairings Group multiplication
  12. 12. Manager Acc1, Acc2, Acc3 x1 w1 x2 w2 x3 w3Bob 1 Bob 2 Bob 3
  13. 13. Problem: after each update of theaccumulated value it is necesarryto recompute all the witnesses.
  14. 14. Delegate Witness Computation?Manager Verify(x,w,Acc) Replica Constructions (Compute User (Verify) a single witness) [CL02] O(|X|) O(1) [GTT09] O(|X|1/ε) O(ε) [CHK08] O(log |X|) O(log |X|)
  15. 15. Batch Update [FN02] Manager …,Acc99, Acc100, Acc101,…, Acc200,… Upd100,200 Bob 1 Bob 2 Bob 29 Bob 42 (x1,w1,Acc100) (x36,w36,Acc100) (x1,w1,Acc100) (x1,w1,Acc100) ( x2,w2,Acc100) ( x87,w87,Acc100) ( x20,w20,Acc100) ( x2,w2,Acc100) ( x6,w6,Acc100) ( x69,w68,Acc100) ( x6,w6,Acc100) ( x64,w64,Acc100) …. …
  16. 16. Batch Update [FN02] Manager …,Acc99, Acc100, Acc101,…, Acc200,… Bob 1 Bob 2 Bob 29 Bob 42 (x1,w1’,Acc200) (x36,w36’,Acc200) (x1,w1’,Acc200) (x1,w1’,Acc200) ( x2,w2’,Acc200) ( x87,w87’,Acc200) ( x20,w20’,Acc200) ( x2,w2’,Acc200) ( x6,w6’,Acc200) ( x69,w68’,Acc200) ( x6,w6’,Acc200) ( x64,w64’,Acc200) …. …
  17. 17. Batch Update [FN02] Trivial solution:UpdXi,Xj = {list of all witnesses for Xj} More interesting: |UpdXi,Xj| = O(1)
  18. 18. What happens with [CL02]?• PK=(n,g) with n=pq and g є Zn*• AccØ := g mod n• Insert(x,Acc) := Accx mod n /* x prime */• Delete(x,Acc) := Acc1/x mod n ?• WitGen(x,Acc) := Acc1/x mod n• Verify(x,w,Acc): wx = Acc• |UpdXi,Xj| = O(|{list of insertions / deletions}|)
  19. 19. Syntax of B.U. AccumulatorsAlgorithm Returns Who runs itKeyGen(1k) PK,SK,AccØ ManagerAddEle(x,AccX,SK) AccX  {x} ManagerDelEle(x,AccX,SK) AccX{x} ManagerWitGen(x,AccX,SK) Witness w relative to AccX ManagerVerify(x,w,AccX,PK) Returns Yes whether x є X UserUpdWitGen(X,X’,SK) UpdX,X’ for elements x є X  X’ ManagerUpdWit(w,AccX,AccX’,UpdX,X’,PK) New witness w’ for x є X’ User
  20. 20. Correctness• Definition The scheme is correct iff: w := WitGen(x,AccX,SK)  Verify(x,w,AccX,PK) = Yes w := WitGen(x,AccX,SK) Verify(x,w’,AccX’,PK) = Yes UpdX,X’ := UpdWitGen(X,X’,SK) w’ := WitGen(w,AccX,AccX’,UpdX,X’,PK)
  21. 21. Security Model [CL02,WWP08] PK,AccØ Insert Request for xi(Adversary) Acc (Oracle) … Delete Request for xj Acc’ Witness Request for xi w … UpdateInfo Request from k to l Upd k,l … (x,w) such that w is valid but x є X
  22. 22. Batch Update Construction [WWP08]
  23. 23. Attack on [WWP08] User Manager X0 := Ø Insert x1 Delete x1 X 1 := {x1} Please send UpdX1,X2 X2 := Ø UpdX1,X2With UpdX1,X2 I canupdate my witness wx1 But x1 does not belong to X2!
  24. 24. Batch Update is Impossible• Theorem:Let Acc be a secure accumulator scheme with deterministic UpdWitand Verify algorithms.For an update involving m delete operations in a set of N elements,the size of the update information UpdX,X required by the algorithmUpdWit is (m log(N/m)).In particular if m=N/2 we have |UpdX,X| =  (m) = (N)
  25. 25. Proof 1/3 User ManagerX={x1,x2,…,xN} X={x1,x2,…,xN} Compute AccX , {w1,w2,…,wN} AccX, {w1,w2,…,wN} Delete Xd:={xi1,xi2,…,xim} X’ := XXd Compute AccX’ , UpdX,X’ AccX’,UpdX,X’
  26. 26. Proof 2/3 CASE 1 CASE 2 If x is not in X’ => If x is in X’ => X={x1,x2,…,xN} Scheme insecure Scheme incorrect {w1,…,wN} AccX, AccX’, UpdX,X’ x still in X’ x not in X’ anymore User CASE 1 YESFor each element w’ :=xєX x UpdWit(w,AccX,AccX’,UpdX,X’) w’ valid? NO CASE 2 User can reconstruct the set Xd
  27. 27. Proof 3/3• There are ( ) subsets of m elements in a set N m of N elements• We need log( ) ≥ m log(N/m) bits N m to encode Xd (See updated version at eprint soon for a detailed proof)
  28. 28. Conclusion• Batch Update is impossible.• Batch Update for accumulators with few delete operations?• Improve the lower bound in a factor of k.
  29. 29. Thank you!
  30. 30. Correction• With negligible probability Bob could obtain a fake witness (and the scheme would still be secure) => The number of “good”subsets Xd is less than ( ) N m
  31. 31. A more careful analysis• Pr[Xd leads to a fake witness] ≤ ε(k) => #”Good Xd sets” ≥ ( ) (1- ε(k)) N m => |UpdX,X| ≥ m log(M/m) + log(1- ε(k)) => |UpdX,X| ≥ m log(M/m) -1 => |UpdX,X| = ( m log(M/m))

×