Upcoming SlideShare
×

# Strong Accumulators From Collision-Resistant Hashing

660 views

Published on

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

Published in: Technology
1 Like
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
660
On SlideShare
0
From Embeds
0
Number of Embeds
112
Actions
Shares
0
0
0
Likes
1
Embeds 0
No embeds

No notes for slide

### Strong Accumulators From Collision-Resistant Hashing

1. 1. Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - TaiwanPhilippe Camacho (University of Chile)Alejandro Hevia (University of Chile)Marcos Kiwi (University of Chile)Roberto Opazo (CEO Acepta.com)
2. 2. Outline Notion of accumulator Motivation  e-Invoice Factoring Our construction Conclusion
3. 3. Notion of accumulator Problem A set X.  Given an element x we wish to prove that this element belongs or not to X. Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
4. 4. Notion of accumulator Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x. Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
5. 5. Applications Time-stamping [BeMa94] Certificate Revocation List [LLX07] Anonymous credentials [CamLys02] E-Cash [AWSM07] Broadcast Encryption [GeRa04]…
6. 6. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
7. 7. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
8. 8. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
9. 9. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
10. 10. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
11. 11. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
12. 12. Nothing to see with Number Theory!Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
13. 13. The Problem A malicious provider could send the same invoice to various Factoring Entities. Then he leaves to a far away country with all the money. Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
14. 14. Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
15. 15. Caveat This solution is quite simple. However  Trusted Factoring Authority is needed. Can we remove this requirement?
16. 16. Properties Dynamic  Allows insertion/deletion of elements. Universal  Allows proofs of membership and nonmembership. Strong  No need to trust in the Accumulator Manager.
17. 17. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
18. 18. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition[BarPfi97] Strong RSA O(1) -[CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor[AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update[CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
19. 19. Notation H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions. x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings. -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞ || denotes the concatenation operator.
20. 20. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value:Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
21. 21. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4)Root value: O(ln(n))Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)the set {x1,…,x8} x4 x1 x5 x6 x2 x8 x7 x3
22. 22. Ideas How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
23. 23. Public Data Structure Called “Memory”. Compute efficiently the accumulated value and the witnesses. In our construction the Memory will be a binary tree.
24. 24. How to insert elements? (-∞,∞) X=Ø, next: x1
25. 25. How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
26. 26. How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
27. 27. How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
28. 28. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
29. 29. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
30. 30. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
31. 31. How to compute the accumulatedvalue? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
32. 32. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
33. 33. How to update the accumulatedvalue? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
34. 34. Security Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2. Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
35. 35. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
36. 36. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
37. 37. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
38. 38. Security Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult. Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3)(x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
39. 39. Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
40. 40. Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
41. 41. Conclusion & Open Problem First dynamic, universal, strong accumulator. Simple. Security  Existence of collision-resistant hash functions. Solves the e-Invoice Factoring Problem. Less efficient than other constructions  Size of witness in O(ln(n)). Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
42. 42. Thank you!
43. 43. Invoice Factoring usingaccumulator We need a secure broadcast channel  Ifa message m is published, every participant sees the same m. Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
44. 44. Invoice Factoring usingaccumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
45. 45. Invoice Factoring usingaccumulator Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
46. 46. Distributed solutions? Complex to implement Hard to make them robust High bandwith communication Need to be online – synchronization problems That’s why we focus on a centralized solution.
47. 47. Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wxBelongs(Acc,wx) = True  x є XIf wx is not valid Belongs returns ┴.
48. 48. Update of theaccumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wupCheckUpdate(Accbefore,Accafter,wup)
49. 49. How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
50. 50. How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
51. 51. How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
52. 52. Bibliography [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992 [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994 [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997 [CGS97] A secure and optimally efﬁcient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997 [Koch98] On certiﬁcate revocation and validation P.C. Kocher 1998 [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998 [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999 [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001 [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002 [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004 [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007 [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007 [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008 [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008