Abstract
A cryptographic accumulator is a succinct set commitment scheme with efficient (non-)membership proofs that typically supports updates (additions and deletions) on the accumulated set. When elements are added to or deleted from the set, an update message is issued. The collection of all the update messages essentially leaks the underlying accumulated set which in certain applications is not desirable.
In this work, we define oblivious accumulators, a set commitment with concise membership proofs that hides the elements and the set size from every entity: an outsider, a verifier or other element holders. We formalize this notion of privacy via two properties: element hiding and add-delete indistinguishability. We also define almost-oblivious accumulators, that only achieve a weaker notion of privacy called add-delete unlinkability. Such accumulators hide the elements but not the set size. We consider the trapdoorless, decentralized setting where different users can add and delete elements from the accumulator and compute membership proofs.
We then give a generic construction of an oblivious accumulator based on key-value commitments (\(\textsf{KVC}\)). We also show a generic way to construct \(\textsf{KVC}\)s from an accumulator and a vector commitment scheme. Finally, we give lower bounds on the communication (size of update messages) required for oblivious accumulators and almost-oblivious accumulators.
F. Baldimtsi and I. Karantaidou are supported by NSF Awards #2143287 and #2247304, as well as a Google Faculty Award. Ioanna Karantaidou is additionally supported by a Protocol Labs Fellowship.
I. Karantaidou—Part of this work was done while the second author was an intern at Visa Research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In a sense, \(\textsf{aux}\) is a summary of how x was hidden in order to achieve the privacy properties that we discuss ahead.
- 2.
In the experiment defining security, we also assume that elements that have not yet been added are never requested to be deleted by the adversary.
- 3.
We assume that \(0 \in \mathcal {D}\).
- 4.
One can also readily support key-deletion, but we ignore this in our presentation.
- 5.
This is an implementation detail and can be assumed to be available in practice.
- 6.
We are slightly cheating here as we have stored the key-value pair as the element in the vector and we only wish to add \(\delta \) to the value component of this pair. This can be realized in practice by carefully handling the sizes of \(\mathcal {K}\) and \(\mathcal {V}\) to simulate addition to the value component by performing regular addition and avoiding overflows. The alternative is to store just the value in \(\textsf{VC}\), but then \(\textsf{Acc}\) would have to store the keys with the positions where their values are stored in \(\textsf{VC}\), which would mean that a non-membership proof for our \(\textsf{KVC}\) would now have to be a batched non-membership proof of \(\textsf{Acc}\), which is also a viable solution, but may be less efficient depending on how large \(|\mathcal {K}_{\mathcal {M}}|\) becomes.
- 7.
We assume that the number of key-value pairs that will ever be inserted into our \(\textsf{KVC}\) is less than \(2^{\lambda }\).
- 8.
This is obtained using \(\textsf{KeyPosProofCreate}(k,q_k,\cdot )\) and \(\textsf{KeyPosProofUpdate}(\varLambda _{k,q_k}, \cdot )\).
- 9.
- 10.
Indeed, note that if only one operation has been performed, we know that it must be an \(\textsf{Add}\), but we don’t necessarily know the element that has been added.
- 11.
For example, if we have a sequence of four operations, they cannot be one \(\textsf{Add}\) and three \(\textsf{Del}\)s.
- 12.
One could imagine that they are also required for updating membership proofs, but we will not need this and so opt for the stronger definition where \(\textsf{aux}\) is only needed to generate membership proofs.
- 13.
In the almost-oblivious accumulator which reveals the size of the accumulated set, this might be more problematic if in the underlying application the size of the set is important and should only contain unique elements.
References
Acar, T., Nguyen, L.: Revocation for delegatable anonymous credentials. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 423–440. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_26
Agrawal, S., Raghuraman, S.: KVaC: key-value commitments for blockchains and beyond. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 839–869. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_28
Au, M.H., Tsang, P.P., Susilo, W., Mu, Y.: Dynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 295–308. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_20
Au, M.H., Tsang, P.P., Susilo, W., Mu, Y.: Dynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems. In: Fischlin, M. (ed.) Topics in Cryptology - CT-RSA 2009, pp. 295–308. Springer, Berlin Heidelberg, Berlin, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_20
Baldimtsi, F., et al.: Accumulators with applications to anonymity-preserving revocation. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 301–315. IEEE (2017)
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Benaloh, J., de Mare, M.: One-Way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) Advances in Cryptology – EUROCRYPT ’93, pp. 274–285. Springer, Berlin Heidelberg (1993). https://doi.org/10.1007/3-540-48285-7_24
Benarroch, D., Campanelli, M., Fiore, D., Gurkan, K., Kolonelos, D.: Zero-knowledge proofs for set membership: efficient, succinct, modular. In: International Conference on Financial Cryptography and Data Security, pp. 393–414. Springer (2021). https://doi.org/10.1007/s10623-023-01245-1
Boneh, D., Bünz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) Advances in Cryptology - CRYPTO 2019, pp. 561–586. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_20
Camacho, P., Hevia, A.: On the impossibility of batch update for cryptographic accumulators. In: Progress in Cryptology–LATINCRYPT 2010: First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, August 8-11, 2010, Proceedings 1, pp. 178–188. Springer (2010). https://doi.org/10.1007/978-3-642-14712-8_11
Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography - PKC 2009, pp. 481–500. Springer, Berlin, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_27
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) Advances in Cryptology – CRYPTO 2002, pp. 61–76. Springer, Berlin, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: CRYPTO (1997)
Campanelli, M., Fiore, D., Han, S., Kim, J., Kolonelos, D., Oh, H.: Succinct zero-knowledge batch proofs for set accumulators. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 455–469 (2022)
de Castro, L., Peikert, C.: Functional commitments for all functions, with transparent setup and from sis. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 287–320. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_10
Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_5
Chen, B., et al.: Rotatable zero knowledge sets - post compromise secure auditable dictionaries with application to key transparency. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology - ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, December 5-9, 2022, Proceedings, Part III. Lecture Notes in Computer Science, vol. 13793, pp. 547–580. Springer (2022)
Chepurnoy, A., Papamanthou, C., Srinivasan, S., Zhang, Y.: EDRAX: a Cryptocurrency with Stateless Transaction Validation. Cryptology ePrint Archive, Report 2018/968 (2018)
Christ, M., Bonneau, J.: Limits on revocable proof systems, with applications to stateless blockchains. Cryptology ePrint Archive (2022)
Damgård, I., Triandopoulos, N.: Supporting non-membership proofs with bilinear-map accumulators. Cryptology ePrint Archive, Report 2008/538 (2008)
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in ad hoc groups. In: Eurocrypt (2004)
Fiore, D., Kolonelos, D., de Perthuis, P.: Cuckoo commitments: registration-based encryption and key-value map commitments for large spaces. Cryptology ePrint Archive (2023)
Ghosh, E., Ohrimenko, O., Papadopoulos, D., Tamassia, R., Triandopoulos, N.: Zero-knowledge accumulators and set algebra. In: Asiacrypt (2016)
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_13
Karantaidou, I., Baldimtsi, F.: Efficient constructions of pairing based accumulators. In: 2021 IEEE 34th Computer Security Foundations Symposium (CSF), pp. 1–16. IEEE (2021)
Leung, D., Gilad, Y., Gorbunov, S., Reyzin, L., Zeldovich, N.: Aardvark: an asynchronous authenticated dictionary with applications to account-based cryptocurrencies. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 4237–4254 (2022)
Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) Applied Cryptography and Network Security, pp. 253–269. Springer, Berlin, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_17
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Eurocrypt (2016)
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-Cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy, pp. 397–411 (2013)
Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) Topics in Cryptology - CT-RSA 2005, pp. 275–292. Springer, Berlin, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_19
Nguyen, L., Safavi-Naini, R.: Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In: Asiacrypt (2004)
Srinivasan, S., Karantaidou, I., Baldimtsi, F., Papamanthou, C.: Batching, aggregation, and zero-knowledge proofs in bilinear accumulators. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2719–2733 (2022)
Sun, S.F., Au, M.H., Liu, J.K., Yuen, T.H.: RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency Monero. In: ESORICS (2017)
Tomescu, A., Bhupatiraju, V., Papadopoulos, D., Papamanthou, C., Triandopoulos, N., Devadas, S.: Transparency logs via append-only authenticated dictionaries. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1299–1316 (2019)
Tomescu, A., Xia, Y., Newman, Z.: Authenticated dictionaries with cross-incremental proof (dis) aggregation. Cryptology ePrint Archive (2020)
Tyagi, N., Fisch, B., Zitek, A., Bonneau, J., Tessaro, S.: VeRSA: verifiable registries with efficient client audits from RSA authenticated dictionaries. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2793–2807 (2022)
Zhang, Y., Katz, J., Papamanthou, C.: An expressive (Zero-Knowledge) set accumulator. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 158–173 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Baldimtsi, F., Karantaidou, I., Raghuraman, S. (2024). Oblivious Accumulators. In: Tang, Q., Teague, V. (eds) Public-Key Cryptography – PKC 2024. PKC 2024. Lecture Notes in Computer Science, vol 14602. Springer, Cham. https://doi.org/10.1007/978-3-031-57722-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-57722-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57721-5
Online ISBN: 978-3-031-57722-2
eBook Packages: Computer ScienceComputer Science (R0)