Supporting Non-membership Proofs with Bilinear-map Accumulators

Similar documents
Strong Accumulators from Collision-Resistant Hashing

A New and Efficient Signature on Commitment Values

Public Key Cryptography and RSA. Review: Number Theory Basics

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Lecture 2: Complexity Theory Review and Interactive Proofs

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

A New Generic Digital Signature Algorithm

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Introduction. Digital Signature

Protocols for Secure Cloud Computing

Development of enhanced Third party Auditing Scheme for Secure Cloud Storage

CSCE 465 Computer & Network Security

Primes, Factoring, and RSA A Return to Cryptography. Table of contents

Improved Online/Offline Signature Schemes

Public Key Cryptography: RSA and Lots of Number Theory

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Identity-Based Encryption from the Weil Pairing

Public Key (asymmetric) Cryptography

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

CIS 5371 Cryptography. 8. Encryption --

Victor Shoup Avi Rubin. Abstract

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Computer Security: Principles and Practice

Notes on Network Security Prof. Hemant K. Soni

Lecture 17: Re-encryption

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Paillier Threshold Encryption Toolbox

A Secure RFID Ticket System For Public Transport

Enhancing Data Security in Cloud Storage Auditing With Key Abstraction

An Anonymous Endorsement System

Crittografia e sicurezza delle reti. Digital signatures- DSA

AN EFFICIENT AUDIT SERVICE OUTSOURCING FOR DATA IN TEGRITY IN CLOUDS

Study of algorithms for factoring integers and computing discrete logarithms

Factoring & Primality

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

Digital Signatures. What are Signature Schemes?

Security in Electronic Payment Systems

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Lecture 9 - Message Authentication Codes

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

The Mathematics of the RSA Public-Key Cryptosystem

Lecture 25: Pairing-Based Cryptography

LUC: A New Public Key System

Lecture 13 - Basic Number Theory.

Verifiable Delegation of Computation over Large Datasets

8 Divisibility and prime numbers

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Lecture 15 - Digital Signatures

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Quotient Rings and Field Extensions

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Analysis of Privacy-Preserving Element Reduction of Multiset

RSA Encryption. Tom Davis October 10, 2003

Cryptography and Network Security Chapter 9

SECURITY IN NETWORKS

1 Signatures vs. MACs

A Factoring and Discrete Logarithm based Cryptosystem

Lecture 5 - CPA security, Pseudorandom functions

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Cryptography and Network Security

Lecture 3: One-Way Encryption, RSA Example

Security Arguments for Digital Signatures and Blind Signatures

On Electronic Payment Systems

Hey! Cross Check on Computation in Cloud

New Efficient Searchable Encryption Schemes from Bilinear Pairings

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

MATH10040 Chapter 2: Prime and relatively prime numbers

Lecture 2: Universality

1 Domain Extension for MACs

Cryptography and Network Security

The application of prime numbers to RSA encryption


RSA and Primality Testing

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

A novel deniable authentication protocol using generalized ElGamal signature scheme

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES. Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Groups in Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Efficient Protocols for Set Membership and Range Proofs

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Transcription:

Supporting Non-membership Proofs with Bilinear-map Accumulators Ivan Damgård Nikos Triandopoulos University of Aarhus Boston University Denmark USA December 20, 2008 Abstract In this short note, we present an extension of Nguyen s bilinear-map based accumulator scheme [8] to support non-membership witnesses and corresponding non-membership proofs, i.e., cryptographic proofs that an element has not been accumulated to a given set. This complements the non-membership proofs developed by Li et al. [7] for the RSA accumulator [2, 3, 5], making the functionality of the bilinear-map accumulator equivalent to that of the RSA accumulator. Our non-membership extension of Nguyen s scheme [8] makes use of the q-strong Diffie-Hellman assumption the security of the original scheme is based on. 1 Introduction Dynamic accumulators are cryptographic authentication primitives for optimally verifying set-membership relations. Given a set X of elements, an accumulator can be used to compute an accumulation value, a short (namely, of constant size) secure description A(X) of X, subject to which there exist short (namely, of constant size) witnesses for any element in X that has been accumulated to A(X). Each elementspecific witness can be used to provide an efficient (namely, of constant verification time) cryptographic proof that the corresponding element is a member of X. Element insertions in or deletions from set X result in corresponding updates on the accumulation values and the element witnesses. Accumulators were first introduced by Benaloh and de Mare [3], and were later further studied and extended by Baric and Pfitzmann [2]. Both constructions were based on the RSA exponentiation function and proved secure under the strong RSA assumption. Camenisch and Lysyanskaya [5] further advanced the RSA accumulator by introduced dynamic extensions, as well as privacy-preserving membership proofs. Consequently, many extensions of the RSA accumulator have been proposed, including accumulation of composite integers [11], bounded number of accumulated elements [1], set-up without trapdoor [10], and, finally, non-membership witnesses and corresponding non-membership proofs, introduced by Li et al. [7]. Non-membership witnesses extend the functionality of accumulators by supporting cryptographic proofs that a given element is not a member of the set, that is, it was never accumulated to the current set. Finally, works improving on the efficiency of the RSA accumulator include [6, 9]. Dept. of Computer Science, University of Aarhus, Aarhus, DK 8200, Denmark. Email: ivan@cs.au.dk. Dept. of Computer Science, Boston University, Boston, MA 02215, USA. Email: nikos@cs.bu.edu. This research was performed while the author was at University of Aarhus, Denmark. 1

The first alternative construction of a dynamic accumulator (beyond the one based on RSA) is due to Nguyen [8]. This scheme is based on bilinear pairings and the construction is proven secure under the q-strong Diffie-Hellman assumption [4] on general groups. We refer to this accumulator scheme as bilinearmap accumulator. Recently a new construction based on Paillier s encryption system has been proposed that additionally offers batch element updates [12]. In this short note, we describe an extension of Nguyen s bilinear-map accumulator scheme to support non-membership witnesses and non-membership proofs and prove the security of this extended scheme. 2 Non-Membership Verification for Bilinear-map Accumulators We first present some necessary preliminaries related to the underlying computational hardness assumption our non-membership extension (and also the original scheme by Nguyen [8]) is based on. We then build on Nguyen s original accumulator scheme to define the new non-membership witnesses, describe their corresponding verification test and finally prove their security. 2.1 The q-strong Diffie-Hellman Assumption We first present the q-strong DH assumption [4] over general groups, which has been used in many contexts. Definition 2.1 (q-strong Diffie-Hellman Assumption.) Let G =< g > be a cyclic group of prime order p and κ Z p. Under the q-strong Diffie-Hellman assumption, any probabilistic polynomial-time algorithm A that is given set {g κi : 0 i q}, finds a pair (x, g 1 x+κ ) Z p G with at most O(1/p) probability, where the probability is over the random choice of κ Z p and the random bits chosen by A. In the sequel, whenever operating on group elements in G of prime order p, we always make use of the fact that g x = g x mod p, x Z; i.e., all operations in the exponent can be reduced modulo the group order p. 2.2 Accumulators Based on Bilinear Maps We now present Nguyen s scheme and appropriately extend it to support non-membership proofs. Given the security parameter λ, let G be a multiplicative cyclic group of prime order p that is generated by g, where p grows exponentially with λ. 1 Additionally, group G is chosen such that it supports a (nondegenerate) bilinear pairing to a target cyclic group G T of prime order p. That is, if G is generated by element g, then there exists a bilinear, non-trivial, map e : G G G T from pairs of elements in G to elements of target group G T, such that for any two integers a, b it holds that e(g a, g b ) = e(g, g) ab and where, additionally, element e(g, g) G T generates G T. Let A κ : 2 Z p G be an accumulation function that is parameterized by κ Z p and maps sets X of integers in Z p to elements in G according to the mapping A κ (X) = g Q x X (x+κ). This has been the accumulation function used by Nguyen in [8] to construct the first accumulator scheme that is not based on the RSA exponentiation function. In Nguyen s construction, κ is the trapdoor information and set {g κi 0 i q} is the public key, q in an upper bound on X = n that grows polynomially with 1 The security parameter can be equal to the bit-length of either a group element or an exponent in the group (integers modulo p). 2

the security parameter λ = O(log p). Seen as a polynomial on κ of degree X = n, let f X (κ) denote the product in the exponent of A κ (X), that is, f X (κ) x X(x + κ). As in [8], for any x X, we define the membership witness w x G of x with respect to accumulation value A κ (X) to be the value w x satisfying the membership verification test w (x+κ) x = A κ (X), (1) which, using the bilinear map e(, ) and the publicly known group element h = g κ, is realized in practice as e(w x, g x h) = e(a κ (X), g). (2) That is, any member x of set X has a unique corresponding membership witness w x g f X (κ) x+κ = g q X,x (κ) (since (x + κ) f X (κ)), for some polynomial q X,x (κ) of degree n 1 that is uniquely defined by set X x. 2.3 Non-membership Verification for Accumulators Based on Bilinear Maps Inspired by the non-membership test proposed by Li et al. in [7] for the RSA accumulator, we introduce nonmembership witnesses for the accumulation function A κ ( ). For any y / X, the non-membership witness ŵ y of y with respect to A κ (X) is a pair of values (w y, u y ) G Z p, subject to the requirements (i) u y 0 and (ii) (y + κ) [f X (κ) + u y ], additionally satisfying the non-membership verification test w (y+κ) y = A κ (X) g uy, (3) which, using the bilinear map e(, ) and the publicly known group element h = g κ, is realized in practice as e(w y, g y h) = e(a κ (X) g uy, g). (4) In particular, any non-member y of set X has a unique corresponding non-membership witness ŵ y = (w y, u y ), by setting u y f X ( y) mod p = x X(x y) mod p, (5) and then accordingly setting w y = g f X (κ) f X ( y) y+κ = gˆq X(κ), (6) for some polynomial ˆq X (κ) of degree n 1 that is uniquely defined by set X. Note that, since y / X, it holds that u y 0. Also note that, if h X (κ) = f X (κ) f X ( y), then h X ( y) = 0, thus it holds that (y + κ) h X (κ) (thus, justifying the last part of Equation 6) and, in fact, that (y + κ) [f X (κ) + u y ]. Thus, in addition to Equations 3 and 4, the pair of values (w y, u y ) defined above satisfies the required conditions u y 0 and (y + κ) [f X (κ) + u y ]. We require that the verification process immediately rejects if u y = 0. Also, observe that the non-membership witness for y / X can be computed efficiently (in polynomial in X time), using only set X and the public key, by evaluating polynomial f X (κ) on y and then computing the group element w y through Equation 6. 3

We say that a membership, respectively non-membership, witness w x, respectively ŵ y = (w y, u y ), is fake if x / X, respectively y X, and, still, the corresponding membership. respectively non-membership, verification test (in particular, expressed through Equations 1 and 3 respectively) is satisfied. The security of non-membership test relies on the following: if y is in X then y + κ divides polynomial f X (κ), and therefore y + κ cannot divide polynomial f X (κ) + u y for any choice of u y 0. (Recall that the verifier first checks whether u y 0, according to the definition of non-membership witnesses.) Based on the fact that (y + κ) [f X (κ) + u y ], one can easily reduce any fake non-membership witness to an attack to the q-strong DH assumption, using a simple polynomial division and the public key. For completeness we present the security proof for both membership and non-membership witnesses. Lemma 1 Under the q-strong Diffie-Hellman assumption, any PPT algorithm B, given any set X, X q and set {g κi 0 i q}, finds a fake non-membership witness of a member of X or a fake membership witness of a non-member of X with respect to A κ (X) with probability at most O(1/p), measured over the random choice of κ Z p and random bits of B. Proof: Consider the case of membership witnesses first. Suppose that there exists PPT algorithm B that with non-negligible probability outputs a fake membership witness w x for x / X with respect to A κ (X). Then, wx x+κ = A κ (X) = g fx(κ), where f X (κ) = X i=0 c i κ i, with c i being a known coefficient that depends on the elements of X, 0 i X. Since x / X, it is (x + κ) f X (κ). Thus, using polynomial division and given X, x, one can compute a non zero integer c and a polynomial q(κ) of degree X 1 such that f X (κ) = c + q(κ) (x + κ). Therefore, w x = g q(κ) g c 1 x+κ and g x+κ = [wx [g q(κ) ] 1 ] c 1, computed efficiently using the public key, which contradicts the q-strong DH assumption. The case of non-membership witnesses is very similar. Indeed, suppose that there exists PPT algorithm B that with non-negligible probability outputs a fake non-membership witness ŵ y = (w y, u y ), u y 0, = g f X(κ)+u y. Since y X, (y + κ) f X (κ), so (y + κ) [f X (κ)+u y ] for any u y 0. Thus, as before, using polynomial division and given u y, X, y, one can express f X (κ) + u y as c + q(κ) (y + κ) for some non zero c and some polynomial q(κ). This again allows the efficient computation of g 1 for y X with respect to A κ (X). Then, w y+κ y y+κ, contradicting the q-strong DH assumption. Note that both reduction arguments can be extended to the case where fake witnesses are defined with respect to the verification tests of Equations 2 and 4. In this case, knowledge of fake witnesses satisfying equations e(w x, g) x+κ = e(g, g) fx(κ) and e(w y, g) y+κ = e(g, g) f X(κ)+u y, implies knowledge of w x and (w y, u y ) that correspondingly satisfy w x+κ x = g f X(κ) and w y+κ y = g f X(κ)+u y. Therefore, we have a new secure non-membership verification test for the accumulation function A κ ( ). Theorem 1 (Non-membership witnesses.) Under the q-strong Diffie-Hellman assumption, for any nonmember of set X there exists a unique non-membership witness with respect to the accumulation value A κ (X) and a corresponding efficient and secure non-membership verification test. 3 Conclusion In this short note, we extend the accumulator scheme that is based on bilinear pairings, which was introduced by Nguyen in [8], to also support non-membership witnesses and corresponding cryptographic proofs of non-membership in a given set. That is, given the (authentic) accumulation value of a set X, the public key, and a corresponding short (of size that is independent of the size of X) non-membership witness, a verifier 4

can efficiently (in time independent of the size of X) verify that a given element y is not a member of X, i.e., y / X. The security of this new non-membership verification test is proved using the q-strong Diffie- Hellman assumption on general groups, the exact cryptographic assumption the original scheme [8] by Nguyen is based on. Similar to the non-membership extension of the RSA accumulator (see, e.g., [2, 3, 5]) that was proposed by Li et al. in [7], this non-membership extension enriches the functionality of the bilinear-map accumulator [8] and widens its usability in real-life security applications. Acknowledgments We thank Melissa Chase for useful discussions related to the topic of this short paper. References [1] M. H. Au, Q. Wu, W. Susilo, and Y. Mu. Compact e-cash from bounded accumulator. In Proceedings of CT-RSA 07, pages 178 195, 2007. [2] N. Barić and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Proceeding of EUROCRYPT 97, pages 480 494, 1997. [3] J. Benaloh and M. de Mare. One-way accumulators: A decentralized alternative to digital signatures. In Proceeding of EUROCRYPT 93, pages 274 285, 1994. [4] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Proceedings of Crypto 04, pages 41 55, 2004. [5] J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of CRYPTO 02, pages 61 76, 2002. [6] M. T. Goodrich, R. Tamassia, and J. Hasic. An efficient dynamic and distributed cryptographic accumulator. In Proceeding of Information Security Conference (ISC), pages 372 388, 2002. [7] J. Li, N. Li,, and R. Xue. Universal accumulators with efficient non-membership proofs. In Proceedings of Conference on Applied Cryptography and Network Security (ACNS), pages 253 269, 2007. [8] L. Nguyen. Accumulators from bilinear pairings and applications. In Proceedings of CT-RSA 05, pages 275 292, 2005. [9] C. Papamanthou, R. Tamassia, and N. Triandopoulos. Authenticated hash tables. In Proceedings of ACM Conference on Computer and Communications Security (CCS), pages 437 448, October 2008. [10] T. Sander. Efficient accumulators without trapdoor extended abstracts. In Proceedings of International Conference on Information and Communication Security, pages 252 262, 1999. [11] G. Tsudik and S. Xu. Accumulating composites and improved group signing. In Proceedings of ASIACRYPT 03, pages 269 286, 2003. [12] P. Wang, H. Wang, and J. Pieprzyk. A new dynamic accumulator for batch updates. In Proceedings of ICICS 07, pages 98 112, 2007. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information