Strong Accumulators from CollisionResistant Hashing


 Arron Lane
 1 years ago
 Views:
Transcription
1 Strong Accumulators from CollisionResistant Hashing ISC 2008 Taipei  Taiwan Philippe Camacho (University of Chile Alejandro Hevia (University of Chile Marcos Kiwi (University of Chile Roberto Opazo (CEO Acepta.com
2 Outline Notion of accumulator Motivation einvoice Factoring Our construction Conclusion
3 Notion of accumulator Problem A set X. Given an element x we wish to prove that this element belongs or not to X. Let X={x 1,x 2,,x n }: X will be represented by a short value Acc. Belongs(Acc,x,w = True x belongs to X. Witness
4 Notion of accumulator Accumulator Manager Computes setup values. Computes the accumulated value Acc. Computes the witness w x for a given x. Accumulator Users Check that an element belongs or not to the set, using Acc, w x and x.
5 Applications Timestamping [BeMa94] Certificate Revocation List [LLX07] Anonymous credentials [CamLys02] ECash [AWSM07] Broadcast Encryption [GeRa04]
6 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider (Milk seller Client (Supermarket
7 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider (Milk seller 1 I want (a lot of milk now *. Client (Supermarket (* but I do not want to pay yet.
8 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider (Milk seller 1 I want (a lot of milk now *. 2 Here is your milk. Client (Supermarket (* but I do not want to pay yet.
9 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 3 Please pay the invoice. Provider (Milk seller 1 I want (a lot of milk now *. 2 Here is your milk. Client (Supermarket (* but I do not want to pay yet.
10 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 3 Please pay the invoice. 4 Here is your money (**. Provider (Milk seller 1 I want (a lot of milk now *. 2 Here is your milk. Client (Supermarket (* but I do not want to pay yet. (** minus a fee.
11 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 3 Please pay the invoice. 4 Here is your money (**. 5 It s time to pay. Provider (Milk seller 1 I want (a lot of milk now *. 2 Here is your milk. Client (Supermarket (* but I do not want to pay yet. (** minus a fee.
12 Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 3 Please pay the invoice. 4 Here is your money (**. 5 It s time to pay. 6 Here is the money. Provider (Milk seller 1 I want (a lot of milk now *. 2 Here is your milk. Client (Supermarket (* but I do not want to pay yet. (** minus a fee.
13 The Problem A malicious provider could send the same invoice to various Factoring Entities. Then he leaves to a far away country with all the money. Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared
14 Solution with Factoring Authority Factoring Authority (4 Is there the invoice? (5 YES / NO FE 1 FE 2 FE i FE n (3 Invoice, Ack Provider (1 Invoice (2 Ack Client
15 Caveat This solution is quite simple. However Trusted Factoring Authority is needed. Can we remove this requirement?
16 Properties Dynamic Allows insertion/deletion of elements. Universal Allows proofs of membership and nonmembership. Strong No need to trust in the Accumulator Manager.
17 Prior work Dynamic Strong Universal Security Efficiency (witness size Note [BeMa94] RSA + RO O(1 First definition [BarPfi97] Strong RSA O(1  [CamLys02] Strong RSA O(1 First dynamic accumulator [LLX07] Strong RSA O(1 First universal accumultor [AWSM07] Pairings O(1 Ecash [WWP08] estrong RSA Paillier O(1 Batch Update
18 Prior work Dynamic Strong Universal Security Efficiency (witness size Note [BeMa94] RSA + RO O(1 First definition [BarPfi97] Strong RSA O(1  [CamLys02] Strong RSA O(1 First dynamic accumulator [LLX07] Strong RSA O(1 First universal accumultor [AWSM07] Pairings O(1 Ecash [WWP08] estrong RSA Paillier O(1 Batch Update [CHKO08] CollisionResistant Hashing O(ln(n Our work
19 Notation H: {0,1}* {0,1} k randomly chosen function from a family of collisionresistant hash functions. x 1,x 2,x 3, є {0,1} k x 1 < x 2 < x 3 < where < is the lexicographic order on binary strings. , Special values such that For all x є {0,1} k :  < x < denotes the concatenation operator.
20 Ideas Merkletrees P=H(Z 1 Z 2 Root value: Z 1 =H(Y 1 Y 2 Z 2 =H(Y 3 Y 4 Represents the set {x 1,,x 8 } Y 1 =H(x 4 x 1 Y 2 =H(x 5 x 6 Y 3 =H(x 2 x 8 Y 4 =H(x 7 x 3 x 4 x 1 x 5 x 6 x 2 x 8 x 7 x 3
21 Ideas Merkletrees P=H(Z 1 Z 2 Root value: Represents the set {x 1,,x 8 } Z 1 =H(Y 1 Y 2 Z 2 =H(Y 3 Y 4 Y 1 =H(x 4 x 1 Y 2 =H(x 5 x 6 Y 3 =H(x 2 x 8 Y 4 =H(x 7 x 3 O(ln(n x 4 x 1 x 5 x 6 x 2 x 8 x 7 x 3
22 Ideas How to prove nonmembership? Kocher s trick [Koch98]: store pair of consecutive values X={1,3,5,6,11} X ={(,1,(1,3,(3,5,(5,6,(6,11,(11, } y=3 belongs to X (1,3 or (,1 belongs to X. y=2 does not belong to X (1,3 belongs to X.
23 Public Data Structure Called Memory. Compute efficiently the accumulated value and the witnesses. In our construction the Memory will be a binary tree.
24 How to insert elements? (, X=Ø, next: x 1
25 How to insert elements? (,x 1 (x 1, X={x 1 }, next: x 2
26 How to insert elements? (,x 1 (x 1, x 2 (x 2, X={x 1,x 2 }, next: x 5
27 How to insert elements? (,x 1 (x 1, x 2 (x 2, x 5 (x 5, X={x 1,x 2,x 5 }, next: x 3
28 How to insert elements? (,x 1 (x 1, x 2 (x 2, x 3 (x 5, (x 3, x 5 X={x 1,x 2,x 3,x 5 }, next: x 4
29 How to insert elements? (,x 1 (x 1, x 2 (x 2, x 3 (x 5, (x 3, x 4 (x 4, x 5 X={x 1,x 2,x 3,x 4,x 5 }, next: x 6
30 How to insert elements? (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, X={x 1,x 2,x 3,x 4,x 5,x 6 }
31 value? (,x 1 How to compute the accumulated (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 9, (x 7, x 9 Proof N =H(Proof left Proof right value Proof Nil = Acc = Proof Root A pair (x i,x j
32 How to update the accumulated value? (Insertion (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 9, (x 7, x 9 Next element to be inserted: x 8 We will need to recompute proof node values.
33 How to update the accumulated value? (Insertion (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 9, (x 7, x 8 (x 8, x 9 New element: x 8. Proof N stored in each node. Dark nodes do not require recomputing Proof N. Only a logarithmic number of values needs recomputation.
34 Security Consistency Difficult to find witnesses that allow to prove inconsistent statements. X={1,2} Update Hard to compute a membership witness for 3. Hard to compute a nonmembership witness for 2. Guarantees that the accumulated value represents the set after insertion/deletion of x.
35 Security Lemma: Given a tree T with accumulated value Acc T, finding a tree T, T T such that Acc T = Acc T is difficult. Proof (Sketch: Proof N = H(Proof left Proof right value (,x 1 (x 1, x 2 (x 2, x 3 (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 5, x 6 (x 3, x 4 (x 4, x 7 (x 6, x 7
36 Security Lemma: Given a tree T with accumulated value Acc T, finding a tree T, T T such that Acc T = Acc T is difficult. Proof (Sketch: Proof N = H(Proof left Proof right value Collision for H (,x 1 (x 1, x 2 (x 2, x 3 (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 5, x 6 (x 3, x 4 (x 4, x 7 (x 6, x 7
37 Security Lemma: Given a tree T with accumulated value Acc T, finding a tree T, T T such that Acc T = Acc T is difficult. Proof (Sketch: Proof N = H(Proof left Proof right value Collision for H (,x 1 (x 1, x 2 (x 2, x 3 (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 5, x 6 (x 3, x 4 (x 4, x 7 (x 6, x 7
38 Security Lemma: Given a tree T with accumulated value Acc T, finding a tree T, T T such that Acc T = Acc T is difficult. Proof (Sketch: Proof N = H(Proof left Proof right value Collision for H (,x 1 (x 1, x 2 (x 2, x 3 (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 5, x 6 (x 3, x 4 (x 4, x 7 (x 6, x 7
39 Security (Consistency (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 9, (x 7, x 9 Witness: blue nodes and the (x 3,x 4 pair, size in O(ln(n Checking that x belongs (or not to X: 1 compute recursively the proof P and verify that P=Acc 2 check that: x=x 3 or x=x 4 (membership x 3 < x < x 4 (nonmembership
40 Security (Update Before After (,x 1 (,x 1 Acc before Acc after (x 1, x 2 (x 2, x 3 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, x 7 (x 9, (x 7, x 9 (x 9, (x 7, x 8 (x 8, x 9 Insertion of x 8
41 Conclusion & Open Problem First dynamic, universal, strong accumulator. Simple. Security Existence of collisionresistant hash functions. Solves the einvoice Factoring Problem. Less efficient than other constructions Size of witness in O(ln(n. Open Problem Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n?
42 Thank you!
43 Invoice Factoring using accumulator We need a secure broadcast channel If a message m is published, every participant sees the same m. Depending on the security level required Trusted http of ftp server Bulletin Board [CGS97]
44 Invoice Factoring using accumulator Factoring Authority (4 Is there the invoice? (5 YES / NO We need to see in detail this step FE 1 FE 2 FE i FE n (3 Invoice, Ack Provider (1 Invoice (2 Ack Client
45 Invoice Factoring using accumulator Step 5 (Details FE Factoring Authority Have you got invoice x? YES/NO, w x w x = Witness(m before,x Check(Acc before,w x,x If NO, insert x Acc new,w up,id FE Acc new,w up = Update Add (m before,x CheckUpdate(Acc before,acc after,w x All tests pass => I can buy x.
46 Distributed solutions? Complex to implement Hard to make them robust High bandwith communication Need to be online synchronization problems That s why we focus on a centralized solution.
47 Checking for (nonmembership User Accumulator Manager Does x belong to X? Memory w x = Witness(m,x w x Belongs(Acc,w x = True x є X If w x is not valid Belongs returns.
48 Update of the accumulated value User Accumulator Manager Insert or Delete x m after, Acc after, w up = Update Add/Del (m before,x Acc after, w up CheckUpdate(Acc before,acc after,w up
49 How to delete elements? (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6, X={x 1,x 2,x 3,x 4,x 5,x 6 } element to be deleted: x 2
50 How to delete elements? (x 1,x 3 (,x 1 (x 1, x 2 (x 2, x 3 (x 5, x 6 (x 3, x 4 (x 4, x 5 (x 6,
51 How to delete elements? (,x 1 (x 1, x 3 (x 6, (x 5, x 6 (x 3, x 4 (x 4, x 5
52 Bibliography [BeMa92] Efficient Broadcast TimeStamping Josh Benaloh and Michael de Mare 1992 [BeMa94] Oneway Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare, 1994 [BarPfi97] CollisionFree Accumulators and FailStop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997 [CGS97] A secure and optimally efficient multiauthority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997 [Koch98] On certificate revocation and validation P.C. Kocher 1998 [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998 [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999 [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001 [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002 [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004 [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007 [AWSM07] Compact ECash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007 [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008 [CKHO08] Strong Accumulators from CollisionResistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008
ConstantSize Commitments to Polynomials and Their Applications
ConstantSize Commitments to Polynomials and Their Applications Aniket Kate 1, Gregory M. Zaverucha 2, and Ian Goldberg 3 1 Max Planck Institute for Software Systems (MPISWS) 2 Certicom Research 3 University
More informationThe Disadvantages of Free MIX Routes and How to Overcome Them
The Disadvantages of Free MIX Routes and How to Overcome Them Oliver Berthold 1, Andreas Pfitzmann 1, and Ronny Standtke 2 1 Dresden University of Technology, Germany {ob2,pfitza}@inf.tudresden.de 2 Secunet,
More informationGroup Signatures: Authentication with Privacy
Group Signatures: Authentication with Privacy Authors Prof. Dr. Mark Manulis, Nils Fleischhacker, Felix Günther, Franziskus Kiefer, Bertram Poettering Cryptographic Protocols Group Department of Computer
More informationEfficient Protocols for Set Membership and Range Proofs
Efficient Protocols for Set Membership and Range Proofs Jan Camenisch 1, Rafik Chaabouni 1,2, and abhi shelat 3 1 IBM Research 2 EPFL 3 U. of Virginia Abstract. We consider the following problem: Given
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Michael J. Freedman 1, Kobbi Nissim 2, and Benny Pinkas 3 1 New York University (mfreed@cs.nyu.edu) 2 Microsoft Research SVC (kobbi@microsoft.com) 3 HP Labs
More informationShort Group Signatures
An extended abstract of this paper is to appear in Advances in Cryptology CRYPTO 2004, SpringerVerlag. Short Group Signatures Dan Boneh dabo@cs.stanford.edu Xavier Boyen xb@boyen.org Hovav Shacham hovav@cs.stanford.edu
More informationExtending Nymblelike Systems
Extending Nymblelike Systems Ryan Henry and Ian Goldberg Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada N2L 3G1 {rhenry,iang}@cs.uwaterloo.ca Abstract We present several
More informationTimeSpecific Encryption
TimeSpecific Encryption Kenneth G. Paterson and Elizabeth A. Quaglia Information Security Group, Royal Holloway, University of London, Kenny.Paterson@rhul.ac.uk, E.A.Quaglia@rhul.ac.uk Abstract. This
More informationEfficient construction of votetags to allow open objection to the tally in electronic elections
Information Processing Letters 75 (2000) 211 215 Efficient construction of votetags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent
More informationAdmission Control in PeertoPeer: Design and Performance Evaluation
Admission Control in PeertoPeer: Design and Performance Evaluation Nitesh Saxena Computer Science Dept. UC Irvine nitesh@ics.uci.edu Gene Tsudik Computer Science Dept. UC Irvine gts@ics.uci.edu Jeong
More informationFairplayMP A System for Secure MultiParty Computation
FairplayMP A System for Secure MultiParty Computation Assaf BenDavid School of Engineering and Computer Science The Hebrew University Jerusalem 91904, Israel Noam Nisan Google Tel Aviv and School of
More informationLecture 2 February 12, 2003
6.897: Advanced Data Structures Spring 003 Prof. Erik Demaine Lecture February, 003 Scribe: Jeff Lindy Overview In the last lecture we considered the successor problem for a bounded universe of size u.
More informationPermacoin: Repurposing Bitcoin Work for Data Preservation
Permacoin: Repurposing Bitcoin Work for Data Preservation Andrew Miller 1, Ari Juels 2, Elaine Shi 1, Bryan Parno 3 and Jonathan Katz 1 1 University of Maryland 2 Cornell Tech (Jacobs) 3 Microsoft Research
More informationRobust Set Reconciliation
Robust Set Reconciliation Di Chen 1 Christian Konrad 2 Ke Yi 1 Wei Yu 3 Qin Zhang 4 1 Hong Kong University of Science and Technology, Hong Kong, China 2 Reykjavik University, Reykjavik, Iceland 3 Aarhus
More informationBitcoin: A PeertoPeer Electronic Cash System
Bitcoin: A PeertoPeer Electronic Cash System Satoshi Nakamoto satoshin@gmx.com www.bitcoin.org Abstract. A purely peertopeer version of electronic cash would allow online payments to be sent directly
More informationAdaptive Oneway Functions and Applications
Adaptive Oneway Functions and Applications Omkant Pandey 1, Rafael Pass 2, and Vinod Vaikuntanathan 3 1 UCLA (omkant@cs.ucla.edu) 2 Cornell University (rafael@cs.cornell.edu) 3 MIT (vinodv@mit.edu) Abstract.
More informationThe Set Data Model CHAPTER 7. 7.1 What This Chapter Is About
CHAPTER 7 The Set Data Model The set is the most fundamental data model of mathematics. Every concept in mathematics, from trees to real numbers, is expressible as a special kind of set. In this book,
More informationOn Collisions for MD5
Eindhoven University of Technology Department of Mathematics and Computing Science MASTER S THESIS On Collisions for MD5 By M.M.J. Stevens Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M.
More informationThe UnionFind Problem Kruskal s algorithm for finding an MST presented us with a problem in datastructure design. As we looked at each edge,
The UnionFind Problem Kruskal s algorithm for finding an MST presented us with a problem in datastructure design. As we looked at each edge, cheapest first, we had to determine whether its two endpoints
More informationProvable Data Possession at Untrusted Stores
Provable Data Possession at Untrusted Stores Giuseppe Ateniese Randal Burns Reza Curtmola Joseph Herring Lea Kissner Zachary Peterson Dawn Song ABSTRACT We introduce a model for provable data possession
More informationCLoud Computing is the long dreamed vision of
1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,
More informationOn the possibility of constructing meaningful hash collisions for public keys
On the possibility of constructing meaningful hash collisions for public keys full version, with an appendix on colliding X.509 certificates Arjen Lenstra 1,2 and Benne de Weger 2 1 Lucent Technologies,
More informationEfficient Two Party and Multi Party Computation against Covert Adversaries
Efficient Two Party and Multi Party Computation against Covert Adversaries Vipul Goyal 1, Payman Mohassel 2, and Adam Smith 3 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationI/OEfficient Batched UnionFind and Its Applications to Terrain Analysis
I/OEfficient Batched UnionFind and Its Applications to Terrain Analysis Pankaj K. Agarwal Lars Arge, Ke Yi Department of Computer Science, Duke University, Durham, NC 0, USA. {pankaj,large,yike}@cs.duke.edu
More informationChord: A Scalable Peertopeer Lookup Service for Internet Applications
Chord: A Scalable Peertopeer Lookup Service for Internet Applications Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT Laboratory for Computer Science chord@lcs.mit.edu
More informationMining Data Streams. Chapter 4. 4.1 The Stream Data Model
Chapter 4 Mining Data Streams Most of the algorithms described in this book assume that we are mining a database. That is, all our data is available when and if we want it. In this chapter, we shall make
More informationPersistent Data Structures
6.854 Advanced Algorithms Lecture 2: September 9, 2005 Scribes: Sommer Gentry, Eddie Kohler Lecturer: David Karger Persistent Data Structures 2.1 Introduction and motivation So far, we ve seen only ephemeral
More informationWhat s the Difference? Efficient Set Reconciliation without Prior Context
hat s the Difference? Efficient Set Reconciliation without Prior Context David Eppstein Michael T. Goodrich Frank Uyeda George arghese,3 U.C. Irvine U.C. San Diego 3 ahoo! Research ABSTRACT e describe
More informationEfficient Processing of Joins on Setvalued Attributes
Efficient Processing of Joins on Setvalued Attributes Nikos Mamoulis Department of Computer Science and Information Systems University of Hong Kong Pokfulam Road Hong Kong nikos@csis.hku.hk Abstract Objectoriented
More information