Your SlideShare is downloading. ×
Strong Accumulators From Collision-Resistant Hashing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Strong Accumulators From Collision-Resistant Hashing

405
views

Published on

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
405
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - TaiwanPhilippe Camacho (University of Chile)Alejandro Hevia (University of Chile)Marcos Kiwi (University of Chile)Roberto Opazo (CEO Acepta.com)
  • 2. Outline Notion of accumulator Motivation  e-Invoice Factoring Our construction Conclusion
  • 3. Notion of accumulator Problem A set X.  Given an element x we wish to prove that this element belongs or not to X. Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
  • 4. Notion of accumulator Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x. Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
  • 5. Applications Time-stamping [BeMa94] Certificate Revocation List [LLX07] Anonymous credentials [CamLys02] E-Cash [AWSM07] Broadcast Encryption [GeRa04]…
  • 6. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
  • 7. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
  • 8. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 9. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 10. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 11. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 12. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 13. The Problem A malicious provider could send the same invoice to various Factoring Entities. Then he leaves to a far away country with all the money. Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
  • 14. Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 15. Caveat This solution is quite simple. However  Trusted Factoring Authority is needed. Can we remove this requirement?
  • 16. Properties Dynamic  Allows insertion/deletion of elements. Universal  Allows proofs of membership and nonmembership. Strong  No need to trust in the Accumulator Manager.
  • 17. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
  • 18. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update[CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
  • 19. Notation H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions. x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings. -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞ || denotes the concatenation operator.
  • 20. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value:Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 21. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value: O(ln(n))Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 22. Ideas How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
  • 23. Public Data Structure Called “Memory”. Compute efficiently the accumulated value and the witnesses. In our construction the Memory will be a binary tree.
  • 24. How to insert elements? (-∞,∞) X=Ø, next: x1
  • 25. How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
  • 26. How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
  • 27. How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
  • 28. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
  • 29. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
  • 30. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
  • 31. How to compute the accumulatedvalue? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
  • 32. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
  • 33. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
  • 34. Security Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2. Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
  • 35. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 36. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 37. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 38. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 39. Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
  • 40. Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
  • 41. Conclusion & Open Problem First dynamic, universal, strong accumulator. Simple. Security  Existence of collision-resistant hash functions. Solves the e-Invoice Factoring Problem. Less efficient than other constructions  Size of witness in O(ln(n)). Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
  • 42. Thank you!
  • 43. Invoice Factoring usingaccumulator We need a secure broadcast channel  Ifa message m is published, every participant sees the same m. Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
  • 44. Invoice Factoring usingaccumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 45. Invoice Factoring usingaccumulator Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
  • 46. Distributed solutions? Complex to implement Hard to make them robust High bandwith communication Need to be online – synchronization problems That’s why we focus on a centralized solution.
  • 47. Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wxBelongs(Acc,wx) = True  x є XIf wx is not valid Belongs returns ┴.
  • 48. Update of theaccumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wupCheckUpdate(Accbefore,Accafter,wup)
  • 49. How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
  • 50. How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
  • 51. How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
  • 52. Bibliography [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992 [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994 [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997 [CGS97] A secure and optimally efficient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997 [Koch98] On certificate revocation and validation P.C. Kocher 1998 [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998 [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999 [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001 [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002 [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004 [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007 [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007 [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008 [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008

×