SlideShare una empresa de Scribd logo

Strong Accumulators From Collision-Resistant Hashing

Philippe Camacho, Ph.D.
Philippe Camacho, Ph.D.

Slides of the paper presented at Information Security Conference 2008, Tapei, Taiwan.

Tecnología
1 de 52
Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - Taiwan Philippe Camacho (University of Chile) Alejandro Hevia (University of Chile) Marcos Kiwi (University of Chile) Roberto Opazo (CEO Acepta.com)
Outline  Notion of accumulator  Motivation  e-Invoice Factoring  Our construction  Conclusion
Notion of accumulator  Problem A set X.  Given an element x we wish to prove that this element belongs or not to X.  Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
Notion of accumulator  Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x.  Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
Applications  Time-stamping [BeMa94]  Certificate Revocation List [LLX07]  Anonymous credentials [CamLys02]  E-Cash [AWSM07]  Broadcast Encryption [GeRa04] …
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
The Problem  A malicious provider could send the same invoice to various Factoring Entities.  Then he leaves to a far away country with all the money.  Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
Caveat  This solution is quite simple.  However  Trusted Factoring Authority is needed.  Can we remove this requirement?
Properties  Dynamic  Allows insertion/deletion of elements.  Universal  Allows proofs of membership and nonmembership.  Strong  No need to trust in the Accumulator Manager.
Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update [CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
Notation  H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions.  x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings.  -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞  || denotes the concatenation operator.
Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: O(ln(n)) Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
Ideas  How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
Public Data Structure  Called “Memory”.  Compute efficiently the accumulated value and the witnesses.  In our construction the Memory will be a binary tree.
How to insert elements? (-∞,∞) X=Ø, next: x1
How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
How to compute the accumulated value? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
Security  Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2.  Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
Conclusion & Open Problem  First dynamic, universal, strong accumulator.  Simple.  Security  Existence of collision-resistant hash functions.  Solves the e-Invoice Factoring Problem.  Less efficient than other constructions  Size of witness in O(ln(n)).  Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
Thank you!
Invoice Factoring using accumulator  We need a secure broadcast channel  Ifa message m is published, every participant sees the same m.  Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
Invoice Factoring using accumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
Invoice Factoring using accumulator  Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
Distributed solutions?  Complex to implement  Hard to make them robust  High bandwith communication  Need to be online – synchronization problems  That’s why we focus on a centralized solution.
Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wx Belongs(Acc,wx) = True  x є X If wx is not valid Belongs returns ┴.
Update of the accumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wup CheckUpdate(Accbefore,Accafter,wup)
How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
Bibliography  [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992  [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994  [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997  [CGS97] A secure and optimally efficient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997  [Koch98] On certificate revocation and validation P.C. Kocher 1998  [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998  [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999  [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001  [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002  [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004  [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007  [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007  [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008  [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008

Recomendados

TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.ATRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.Aopereira2705
 
Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldPhilippe Camacho, Ph.D.
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesPhilippe Camacho, Ph.D.
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin SecurityPhilippe Camacho, Ph.D.
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Philippe Camacho, Ph.D.
 
Bitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasBitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasPhilippe Camacho, Ph.D.
 
No más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescateNo más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescatePhilippe Camacho, Ph.D.
 

Recomendados

TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.ATRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.A
TRANSMISION DE DATOS Resumen UNIDAD I UFT OPM 1.Aopereira2705
 
Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldPhilippe Camacho, Ph.D.
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesPhilippe Camacho, Ph.D.
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin SecurityPhilippe Camacho, Ph.D.
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Philippe Camacho, Ph.D.
 
Bitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasBitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasPhilippe Camacho, Ph.D.
 
No más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescateNo más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescatePhilippe Camacho, Ph.D.
 
Protocols for Provable Solvency
Protocols for Provable SolvencyProtocols for Provable Solvency
Protocols for Provable SolvencyPhilippe Camacho, Ph.D.
 
Más allá del dinero: Bitcoin
Más allá del dinero: BitcoinMás allá del dinero: Bitcoin
Más allá del dinero: BitcoinPhilippe Camacho, Ph.D.
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a BitcoinPhilippe Camacho, Ph.D.
 
How to explain bitcoin to your mother
How to explain bitcoin to your motherHow to explain bitcoin to your mother
How to explain bitcoin to your motherPhilippe Camacho, Ph.D.
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.
 
Cuidatusbitcoins
CuidatusbitcoinsCuidatusbitcoins
CuidatusbitcoinsPhilippe Camacho, Ph.D.
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyPhilippe Camacho, Ph.D.
 
Foaf+ssl
Foaf+sslFoaf+ssl
Foaf+sslPhilippe Camacho, Ph.D.
 
Agilidad al rescate
Agilidad al rescateAgilidad al rescate
Agilidad al rescatePhilippe Camacho, Ph.D.
 
XPDay2009: Nameaction
XPDay2009: NameactionXPDay2009: Nameaction
XPDay2009: NameactionPhilippe Camacho, Ph.D.
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 
Agile daychile2010
Agile daychile2010Agile daychile2010
Agile daychile2010Philippe Camacho, Ph.D.
 
Agiles2010
Agiles2010Agiles2010
Agiles2010Philippe Camacho, Ph.D.
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Más contenido relacionado

Más de Philippe Camacho, Ph.D.

Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyPhilippe Camacho, Ph.D.
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.
 

Más de Philippe Camacho, Ph.D. (15)

Protocols for Provable Solvency
Protocols for Provable SolvencyProtocols for Provable Solvency
Protocols for Provable Solvency
 
Más allá del dinero: Bitcoin
Más allá del dinero: BitcoinMás allá del dinero: Bitcoin
Más allá del dinero: Bitcoin
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a Bitcoin
 
How to explain bitcoin to your mother
How to explain bitcoin to your motherHow to explain bitcoin to your mother
How to explain bitcoin to your mother
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
 
Cuidatusbitcoins
CuidatusbitcoinsCuidatusbitcoins
Cuidatusbitcoins
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third Party
 
Foaf+ssl
Foaf+sslFoaf+ssl
Foaf+ssl
 
Agilidad al rescate
Agilidad al rescateAgilidad al rescate
Agilidad al rescate
 
XPDay2009: Nameaction
XPDay2009: NameactionXPDay2009: Nameaction
XPDay2009: Nameaction
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic Accumulators
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed Trees
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
Agile daychile2010
Agile daychile2010Agile daychile2010
Agile daychile2010
 
Agiles2010
Agiles2010Agiles2010
Agiles2010
 

Último

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Último (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Strong Accumulators From Collision-Resistant Hashing

  • 1. Strong Accumulators from Collision-Resistant Hashing ISC 2008 Taipei - Taiwan Philippe Camacho (University of Chile) Alejandro Hevia (University of Chile) Marcos Kiwi (University of Chile) Roberto Opazo (CEO Acepta.com)
  • 2. Outline  Notion of accumulator  Motivation  e-Invoice Factoring  Our construction  Conclusion
  • 3. Notion of accumulator  Problem A set X.  Given an element x we wish to prove that this element belongs or not to X.  Let X={x1,x2,…,xn}: X will be represented by a short value Acc.  Belongs(Acc,x,w) = True  x belongs to X. Witness
  • 4. Notion of accumulator  Accumulator Manager  Computes setup values.  Computes the accumulated value Acc.  Computes the witness wx for a given x.  Accumulator Users  Check that an element belongs or not to the set, using Acc, wx and x.
  • 5. Applications  Time-stamping [BeMa94]  Certificate Revocation List [LLX07]  Anonymous credentials [CamLys02]  E-Cash [AWSM07]  Broadcast Encryption [GeRa04] …
  • 6. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity Provider Client (Milk seller) (Supermarket)
  • 7. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) (*) but I do not want to pay yet.
  • 8. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 9. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity e . oic nv th ei a y sep ea ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet.
  • 10. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). y (* * . e e on oic r m nv ou h ei y t is p ay e re se )H ea 4 ) Pl 3 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 11. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity ). 5 y (* * )I t’s . e e on tim oic m e nv ur to th ei yo pa y is y. pa re se He l ea 4) 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 12. Nothing to see with Number Theory! Factoring Industry in Chile Factoring Entity 6) ). 5 He y (* * )I t’s re e. o ne tim is oic rm e th e nv u to m th ei yo pa on is ey p ay er e y. . e )H le as 4 3 )P 1) I want (a lot of) milk now *. Provider Client (Milk seller) (Supermarket) 2) Here is your milk. (*) but I do not want to pay yet. (**) minus a fee.
  • 13. The Problem  A malicious provider could send the same invoice to various Factoring Entities.  Then he leaves to a far away country with all the money.  Later, several Factoring Entities will try to charge the invoice to the same client. Losts must be shared…
  • 14. Solution with Factoring Authority Factoring Authority (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 15. Caveat  This solution is quite simple.  However  Trusted Factoring Authority is needed.  Can we remove this requirement?
  • 16. Properties  Dynamic  Allows insertion/deletion of elements.  Universal  Allows proofs of membership and nonmembership.  Strong  No need to trust in the Accumulator Manager.
  • 17. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update
  • 18. Prior work Dynamic Strong Universal Security Efficiency Note (witness size) [BeMa94] RSA + RO O(1) First definition [BarPfi97] Strong RSA O(1) - [CamLys02] Strong RSA O(1) First dynamic accumulator [LLX07] Strong RSA O(1) First universal accumultor [AWSM07] Pairings O(1) E-cash [WWP08] eStrong RSA Paillier O(1) Batch Update [CHKO08] Collision-Resistant Hashing O(ln(n)) Our work
  • 19. Notation  H: {0,1}*→{0,1}k  randomly chosen function from a family of collision-resistant hash functions.  x1,x2,x3,…є {0,1}k  x1 < x2 < x3 < … where < is the lexicographic order on binary strings.  -∞,∞  Special values such that  For all x є {0,1}k : -∞ < x < ∞  || denotes the concatenation operator.
  • 20. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 21. Ideas  Merkle-trees P=H(Z1||Z2) Z1=H(Y1||Y2) Z2=H(Y3||Y4) Root value: O(ln(n)) Represents Y1=H(x4||x1) Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3) the set {x1, …,x8} x4 x1 x5 x6 x2 x8 x7 x3
  • 22. Ideas  How to prove non-membership?  Kocher’strick [Koch98]: store pair of consecutive values  X={1,3,5,6,11}  X’={(-∞,1),(1,3),(3,5),(5,6),(6,11),(11, ∞)}  y=3 belongs to X  (1,3) or (-∞,1) belongs to X’.  y=2 does not belong to X  (1,3) belongs to X’.
  • 23. Public Data Structure  Called “Memory”.  Compute efficiently the accumulated value and the witnesses.  In our construction the Memory will be a binary tree.
  • 24. How to insert elements? (-∞,∞) X=Ø, next: x1
  • 25. How to insert elements? (-∞,x1) (x1, ∞) X={x1}, next: x2
  • 26. How to insert elements? (-∞,x1) (x1, x2) (x2, ∞) X={x1,x2}, next: x5
  • 27. How to insert elements? (-∞,x1) (x1, x2) (x2, x5) (x5, ∞) X={x1,x2,x5}, next: x3
  • 28. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x5) X={x1,x2,x3,x5}, next: x4
  • 29. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, ∞) (x3, x4) (x4, x5) X={x1,x2,x3,x4,x5}, next: x6
  • 30. How to insert elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6}
  • 31. How to compute the accumulated value? (-∞,x ) 1 (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) ProofN=H(Proofleft||Proofright||value) ProofNil= “” A pair (xi,xj) Acc = ProofRoot
  • 32. How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Next element to be inserted: x8 We will need to recompute proof node values.
  • 33. How to update the accumulated value? (Insertion) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x8) (x8, x9) New element: x8. ProofN stored in each node. Dark nodes do not require recomputing ProofN. Only a logarithmic number of values needs recomputation.
  • 34. Security  Consistency  Difficult to find witnesses that allow to prove inconsistent statements.  X={1,2}  Hard to compute a membership witness for 3.  Hard to compute a nonmembership witness for 2.  Update  Guarantees that the accumulated value represents the set after insertion/deletion of x.
  • 35. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 36. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 37. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 38. Security  Lemma: Given a tree T with accumulated value AccT, finding a tree T’, T≠T’ such that AccT = AccT’ is difficult.  Proof (Sketch): ProofN = H(Proofleft||Proofright||value) Collision for H (-∞,x1) (-∞,x1) (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x7) (x6, x7)
  • 39. Security (Consistency) (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) Witness: blue nodes and the (x3,x4) pair, size in O(ln(n)) Checking that x belongs (or not) to X: 1) compute recursively the proof P and verify that P=Acc 2) check that: x=x3 or x=x4 (membership) x3 < x < x4 (nonmembership)
  • 40. Security (Update) Before After (-∞,x1) (-∞,x1) Accbefore Accafter (x1, x2) (x2, x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x5, x6) (x3, x4) (x4, x5) (x6, x7) (x9, ∞) (x7, x9) (x9, ∞) (x7, x8) (x8, x9) Insertion of x8
  • 41. Conclusion & Open Problem  First dynamic, universal, strong accumulator.  Simple.  Security  Existence of collision-resistant hash functions.  Solves the e-Invoice Factoring Problem.  Less efficient than other constructions  Size of witness in O(ln(n)).  Open Problem “Is it possible to build a strong,dynamic and universal accumulator with witness size lower than O(ln(n))?”
  • 43. Invoice Factoring using accumulator  We need a secure broadcast channel  Ifa message m is published, every participant sees the same m.  Depending on the security level required  Trusted http of ftp server  Bulletin Board [CGS97]
  • 44. Invoice Factoring using accumulator Factoring Authority We need to see in detail this step (4) Is there (5) YES / NO the invoice? FE 1 FE 2 … FE i … FE n e, Ack (3) Invoic (1) Invoice Provider Client (2) Ack
  • 45. Invoice Factoring using accumulator  Step 5 (Details) FE Factoring Authority Have you got invoice x? wx = Witness(mbefore,x) YES/NO, wx Check(Accbefore,wx,x) If NO, insert x Accnew,wup = UpdateAdd(mbefore,x) Accnew,wup,IDFE CheckUpdate(Accbefore,Accafter,wx) All tests pass => I can buy x.
  • 46. Distributed solutions?  Complex to implement  Hard to make them robust  High bandwith communication  Need to be online – synchronization problems  That’s why we focus on a centralized solution.
  • 47. Checking for (non-)membership User Accumulator Manager Does x belong to X? Memory wx = Witness(m,x) wx Belongs(Acc,wx) = True  x є X If wx is not valid Belongs returns ┴.
  • 48. Update of the accumulated value User Accumulator Manager Insert or Delete x mafter, Accafter,wup = UpdateAdd/Del(mbefore,x) Accafter, wup CheckUpdate(Accbefore,Accafter,wup)
  • 49. How to delete elements? (-∞,x1) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞) X={x1,x2,x3,x4,x5,x6} element to be deleted: x2
  • 50. How to delete elements? (-∞,x1) (x1,x3) (x1, x2) (x2, x3) (x5, x6) (x3, x4) (x4, x5) (x6, ∞)
  • 51. How to delete elements? (-∞,x1) (x1, x3) (x6, ∞) (x5, x6) (x3, x4) (x4, x5)
  • 52. Bibliography  [BeMa92] Efficient Broadcast Time-Stamping Josh Benaloh and Michael de Mare 1992  [BeMa94] One-way Accumulators: A decentralized Alternative to Digital Signatures Josh Benaloh and Michael de Mare , 1994  [BarPfi97] Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees Niko Barić and Birgit Pfitzmann 1997  [CGS97] A secure and optimally efficient multi-authority election scheme R. Cramer, R. Gennaro, and B. Schoenmakers 1997  [Koch98] On certificate revocation and validation P.C. Kocher 1998  [CGH98] The random oracle methodoly revisited R. Canetti, O. Goldreich and S. Halevi 1998  [Sand99] Efficient Accumulators Without Trapdoor Tomas Sanders 1999  [GoTa01] An efficient and Distributed Cryptographic Accumulator Michael T. Goodrich and Roberto Tamassia 2001  [CamLys02] Dynamic Accumulators And Application to Efficient Revocation of Anonymous Credentials Jan Camenisch Anna Lysyanskaya 2002  [GeRa04] RSA Accumulator Based Broadcast Encryption Craig Gentry and Zulfikar Ramzan 2004  [LLX07] Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li, Ninghui Li and Rui Xue 2007  [AWSM07] Compact E-Cash from Bounded Accumulator Man Ho Au, Qianhong Wu, Willy Susilo and Yi Mu 2007  [WWP08] A new Dynamic Accumulator for Batch Updates Peishun Wang, Huaxiong Wang and Josef Pieprzyk 2008  [CKHO08] Strong Accumulators from Collision-Resistant Hashing Philippe Camacho, Alejandro Hevia, Marcos Kiwi, and Roberto Opazo 2008