Efficient Constructions of Bilinear Accumulators Ioanna - PowerPoint PPT Presentation

Efficient Constructions of Bilinear Accumulators Ioanna Karantaidou, Foteini Baldimtsi

Set Me Membership ip Bank, GMU, subscription- based service, etc Alice List of members I am Alice ce ... List of members as a Data structure • Size of List: O(n) Alice • (at least one of) Additions/Deletions, ... lookups depends on n ... • Privacy against list holder/membership verification in a privacy preserving way: Expensive!

Accu ccumulator Setting MANAGER VERIFIER Acc.v Initialize & Create Acc.v Accumulator Value: holds Set S Set S

Posit sitiv ive Acc ccumula lator: ad addin ing Use ser x MANAGER VERIFIER Acc.v Add(x) Update Acc.v x User x Wx update message Set S UpdateAlg

Posit sitiv ive Acc ccumula lator: provi ving membership ip MANAGER VERIFIER Acc.v Add(x) Update Acc.v x Wx User x Wx access/service update message Accumulator value size: O(1) Set S Witness size: O(1) UpdateAlg: O(1) Membership Verification time: UpdateAlg O(1)

Secu curity y Propertie ies s (mem ember ership ip) Accumulator acc Set/List Verification algorithm:VerMem( 𝑥 𝑦 ) Verification=lookup ... Alice ... 𝑦 ∈ 𝑏𝑑𝑑 → VerMem( 𝑥 𝑦 )=1 Alice is a member → verification correctness Charlie 𝑦 ∉ 𝑏𝑑𝑑 → VerMem( 𝑥 𝑦 )=0 Bob is not a member Alice (or =1 with negligible → verification prob.) soundness

2 2 Types es of Accu cumulators RSA based accumulators [CL02, LLX07, BdM93] • Accumulate odd prime numbers • Factorization of group hidden • Strong RSA assumption Bilinear Pairing based accumulators [N05, CKS09, ATSM09, ZKP17] • Accumulate integers • Known order groups • Witness, accumulator value belong in pairing friendly groups • q-SDH assumption Choice depends on the application!

Common Iss ssues es with Known Accu cumulators • Unnecessary accumulator updates that cause high communication costs • Expensive non-membership operations • Computational overhead due to extra properties Can we do better if we take advantage of the presence of a trusted entity (manager)? Di Discu cuss ssio ion on the se secr cret key y model • Most known constructions have a trusted setup • Anonymous Credentials, subscription-based services, etc

Our Resu sults 1. Positive Bilinear Accumulator with Optimal Communication Cost 2. Universal Bilinear Accumulator with Constant Non- Membership Witness Creation 3. ZK Accumulator with Constant Non-Membership Witness Creation and Update

FIRST CONSTRUCTION Positive Bilinear Accumulator with Optimal Communication Cost

Posit sitiv ive e Bilin linea ear Accu ccumulator 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 Add(x) User x (sk) 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 (𝒚+𝑡𝑙) upmsg 𝑥 𝑦 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 Set S

Posit sitiv ive e Bilin linea ear Accu ccumulator Verif ific icatio ion 𝑥 𝑦 = 𝐵𝑑𝑑. 𝑤 (𝑦+𝑡𝑙) −1 (𝑦+𝑡𝑙) 𝑥 𝑦 = 𝐵𝑑𝑑. 𝑤 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 (𝒚+𝑡𝑙) Public parameters: 𝑕, 𝑕 𝑡𝑙 , (𝑕 𝑡𝑙 ) 2 , (𝑕 𝑡𝑙 ) 3 , … → (𝑦+𝑡𝑙) 𝑥 𝑦 𝑥 𝑦 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 Public parameters: e( 𝒙 𝒚 , 𝒉 𝒚 𝒉 𝒕𝒍 )=e( 𝑩𝒅𝒅. 𝒘 , 𝒉 ) 𝑕, 𝑕 𝑡𝑙 ,(𝑕 𝑡𝑙 ) 2 , (𝑕 𝑡𝑙 ) 3 ,… → (VerMem) 𝑕 𝑦 , 𝑕 𝑡𝑙

Posit sitiv ive e Bilin linea ear Accu ccumulator 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 (𝒚+𝑡𝑙) Del(x) User x (sk) 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑦 1 +𝑡𝑙 … 𝑦 𝑜 +𝑡𝑙 upmsg Set S

Posit sitiv ive e Bilin linea ear Accu ccumulator Minimum communication bound (on update messages) for positive accumulators= |d| (number of deletions) Camacho, Philippe, and Alejandro Hevia. "On the impossibility of batch update for cryptographic accumulators." International Conference on Cryptology and Information Security in Latin America . Springer, Berlin, Heidelberg, 2010.

Posit sitiv ive Bilin linear Acc ccumulator with Optim imal l Communicatio ion Cost-Fir irst try User x (sk) 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑣 Add(x) 𝑥 𝑦 = 𝑕 𝑣 (𝒚+𝑡𝑙) −1 Del(x) upmsg 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑣 (𝒚+𝑡𝑙) −1

Posit sitiv ive Bilin linear Acc ccumulator with Optim imal l Communicatio ion Cost-Fir irst try User x (sk) 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑣 • Communication • Correctness efficient Add(x) • Dynamic (add,del) 𝑥 𝑦 = 𝑕 𝑣 (𝒚+𝑡𝑙) −1 • Positive holds and VerMem same (membership) • Soundness?? Del(x) upmsg 𝐵𝑑𝑑. 𝑤 = 𝑕 𝑣 (𝒚+𝑡𝑙) −1

Posit sitiv ive Bilin linear Acc ccumulator with Optim imal l Communicatio ion Cost-Fir irst try Proof overview: • R (public parameters) runs an adversary A (public parameters) • A submits lists of to-be-added, to-be-deleted elements 𝑀 𝐵 , 𝑀 𝐸 • R simulates updates and witnesses • A breaks acc soundness • R breaks q-SDH assumption q-SDH: Given (p, 𝐻, 𝐻 𝑈 , 𝑓, 𝑕 ), {𝑕 𝑡𝑙 } 𝑗 ,𝑗 = 0, … , 𝑟 there is negligible probability of finding 1 𝑡𝑙+𝑦 for 𝑦 ∈ ℤ 𝑞 𝑕

Posit sitiv ive Bilin linear Acc ccumulator with Optim imal l Communicatio ion Cost-Fir irst try Proof overview: • R (public parameters) runs an adversary A (public parameters) • A submits lists of to-be-added, to-be-deleted elements 𝑀 𝐵 , 𝑀 𝐸 • R simulates updates and witnesses • A breaks acc soundness • R breaks q-SDH assumption Adaptive soundness not achieved

Positive Bilinear ar Ac Accumu mulator wi with Optimal al Commu mmunication Cost- Modular ar Construction (x,r) in A- r in NA- A-sound sound sound positive positive positive dynamic additive acc dynamic acc acc Baldimtsi, Foteini, et al. "Accumulators with applications to anonymity-preserving revocation." 2017 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, 2017.

Positive Bilinear ar Ac Accumu mulator wi with Optimal al Commu mmunication Cost- Modular ar Construction (x,r) in A- r in NA- A-sound sound sound positive positive positive dynamic additive acc dynamic acc acc • No updates for positive r=F(x), where F() is a Communication cost= |d| accumulator that supports pseudorandom function Optimal! • additions only Updates for deletions

Positive Camenisch et al 09 Nguyen 05 this work (NA- this work (A- sound) sound) Add 1 1 1 1 Del 1 1 1 1 MemWitCreate 1 1 1 1 NonMemWitCreate - - - - MemWitUpOnAdd 1 1 0 0 MemWitUpOnDel 1 1 1 1 NonMemWitUpOnAd - - - - d NonMemWitUpOnDe - - - - l VerMem 1 1 1 1 VerNonMem - - - - Manager storage 1 1 1 1 Parameters 2q q q q Com. cost |a|+|d| |a|+|d| |d| |d| ✓ ✓ ✓ ✓ Efficient ZKPs ✓ ✓ ✓ Adaptively-sound • Jan Camenisch, Markulf Kohlweiss, and Claudio Soriente. An accumulator basedon bilinear maps and efficient revocation for anonymous credentials. In PKC 2009 • Lan Nguyen. Accumulators from bilinear pairings and applications. In CT-RSA 2005.

SECOND CONSTRUCTION Universal Bilinear Accumulator with Constant Non-Membership Witness Creation

Addit itional l Properties (non-mem embership ip:NM) Accumulator acc Set/List NM verification algorithm: NM verification=lookup Charlie VerNonMem( 𝑥 𝑦 ) Alice 𝑦 ∉ 𝑏𝑑𝑑 → VerNonMem( 𝑥 𝑦 )=1 Bob is not a member → NM verification correctness 𝑦 ∈ 𝑏𝑑𝑑 → VerNonMem( 𝑥 𝑦 )=0 ... Alice is a member (or =1 with negligible prob.) → NM verification Alice ... soundness

Gener Ge eric c Univ iversal l Mo Modular Construct ction motiv ivatio ion: Non membership ip for y Bilinear ATSM09 , S={ 𝑦 𝑗 }, 𝑦 𝑗 ∈ ℤ 𝑞 RSA LLX07 , S={ 𝑧 𝑗 }, 𝑧 𝑗 primes |S| 𝑧 𝑗 ) + 𝑐 𝑧 = 1 a ( ς 𝑗=1 Users (public parameters)/Manager Users (public parameters): (sk): S={ 𝑦 𝑗 }, polynomial division |S| 𝑧 𝑗 ∈ ℤ , Euclidean algorithm ς 𝑗=1 Manager (sk): |S| (𝑦 𝑗 +𝑡𝑙) ∈ ℤ , used as exponent ς 𝑗=1

Ge Gener eric c Univ iversal l Mo Modular Construct ction motiv ivatio ion: Non membership ip for y Bilinear ATSM09 , S={ 𝑦 𝑗 }, 𝑦 𝑗 ∈ ℤ 𝑞 RSA LLX07 , S={ 𝑧 𝑗 }, 𝑧 𝑗 primes |S| 𝑧 𝑗 ) + 𝑐 𝑧 = 1 a ( ς 𝑗=1 non-membership cost: |S| Users (public parameters)/Manager Users (public parameters): (sk): S={ 𝑦 𝑗 }, polynomial division |S| 𝑧 𝑗 ∈ ℤ , Euclidean algorithm ς 𝑗=1 Manager (sk): |S| (𝑦 𝑗 +𝑡𝑙) ∈ ℤ , used as exponent ς 𝑗=1

Ge Gener eric c Univ iversal l Mo Modular Construct ction Over vervi view ew Can we make sure that 𝐵𝐷𝐷 1 and Can we replace non-membership with 𝐵𝐷𝐷 2 are disjoint? constant-runtime membership?? The accumulator manager always Yes, with a trusted manager signs the most up to date value of the accumulator 𝑩𝑫𝑫 𝟑 𝑩𝑫𝑫 𝟐 A-sound A-sound A-sound positive positive universal dynamic acc dynamic acc dynamic for for acc for S D-S S