RSA Accumulator Oct 29, 2019 Overview Definitions modulus math - PowerPoint PPT Presentation

RSA Accumulator Oct 29, 2019

Overview • Definitions • modulus math • RSA Accumulator • Hash to prime • E ffi cient algorithms (Batching) • Trusted Setup problem • Class Group accumulators

Terminology • Accumulator : “A cryptographic accumulator is a primitive that produces a short binding commitment to a set of elements together with short membership/non-membership proofs for any element in the set.” • Dynamic Accumulator : “Accumulator which supports addition/deletion of elements with O(1) cost, independent of the number of accumulated elements” • Universal Accumulator : “Dynamic Accumulator which supports membership and non-membership proofs” — D. Boneh, B. Bünz, B. Fisch, “Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains”, 2018

Accumulator • What exactly do we need for an accumulator? • Base value (i.e. Merkle Tree root) = Accumulator • Either • the set of inputs (to generate a membership proof on-the-fly when needed) • or the set of membership proofs for each element = Witness

Module Math +4 Addition, Multiplication, etc. all well defined N prime (13) ( a + b ) mod N = ( ( a mod N ) + ( b mod N ) mod N )

Module Math A generator is an element so x that produce all { x ,2 x ,3 x , …} elements. E.g.: x = 4 ⇒ 4,8,12,3,7,11,2,6,10,1,5,9,0 Number of generators called Φ ( N ) N prime (13) If is prime, then Φ ( N ) = N − 1 N (every number except 0 is generator) ( a + b ) mod N = ( ( a mod N ) + ( b mod N ) mod N )

Module Math If is not prime, some N numbers are not generators. I.e. x = 6 ⇒ 6,12,4,10,2,8,0,6,… (1,3,5,7,9,11,13, can not be generated) N not prime (14)

Module Math • If , with prime, then the number of N = pq p , q generators is Φ ( N ) = ( p − 1)( q − 1)

Module Math N = 14, p = 2, q = 7, Φ (14) = 6 0: {0} 1: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 2: {0, 2, 4, 6, 8, 10, 12} 3: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 4: {0, 2, 4, 6, 8, 10, 12} 5: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 6: {0, 2, 4, 6, 8, 10, 12} 7: {0, 7} 8: {0, 2, 4, 6, 8, 10, 12} 9: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 10: {0, 2, 4, 6, 8, 10, 12} 11: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 12: {0, 2, 4, 6, 8, 10, 12} 13: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} N not prime (14)

Module Math Group with unknown order • Assume 2 large prime numbers and p , q n = pq • It is impossible to compute and given p q n • Number of generators is secret Φ ( n ) = ( p − 1)( q − 1) • Do all math mod n a ϕ ( n ) − 1 = a − 1 mod n • if then (used is RSA crypto) gcd( a , n ) = 1 3 ϕ (14) − 1 = 3 6 − 1 = 3 5 mod 14 = 5 mod 14 • E.g. • 5 is the inverse of , because 3 ⋅ 5 = 15 = 1 mod 14 3 mod 14

Module Math Group with unknown order • Assume 2 large prime numbers and p , q n = pq • Number of generators Φ ( n ) = ( p − 1)( q − 1) gcd( a , n ) = 1 a ϕ ( n ) − 1 = a − 1 mod n • : • Without , no p , q ϕ ( n ) • Without , no inverse ϕ ( n ) • and also no roots 1 x mod n a

RSA Accumulator • Using modulo math, assume we have a number A ∈ ℤ N • Assume we have a hash function that creates a prime number as output ℋ P (…) A ′ � = A ℋ p ( document ) • Then is a RSA-Accumulator

RSA Acumulator A random • Init: Empty accumulator ← ℤ n A new = A e mod n • Add an element (if is prime) e e ( A e ) 1 1 • Witness: , because A = A e • The accumulator without the element is the witness • Verify by adding the element and check for equality

RSA Accumulator • If the order is unknown, 1 can not be computed A e • When adding an element, keep the old accumulator as witness • When adding further elements, update the witnesses

Witness Adding element to accumulator e A A e A add e keep A as witness for e A

Witness Adding element to accumulator A ′ � f A e A ef A add e add f keep A as witness for e A f A add f update witness for e A e keep as witness for f A e

Witness Adding element to accumulator A ′ � f A e A ef A add e add f keep A as Verify: witness for e e = A ef A f ( A f ) A add f update witness for e A e keep as witness for f f = A ef A e ( A e )

Witnesses • Accumulator B = A e 1 ⋅ e 2 ⋯ e n • has accumulated the set 𝒯 = { e 1 , e 2 , …, e n } B • is a single number (2048 bits), independent of the size of B the set 𝒯 • A witness A e 1 ⋯ e i − 1 e i +1 ⋯ e n for an element is simply W e i e i • a single number e i ? ( W e i ) • Verification via one exponentiation = B

Hash to prime • Currently we treated all elements as prime numbers e i • We need a hash function that produces primes

Hash to prime • Currently we treated all elements as prime numbers e i • We need a hash function that produces primes • The output of a hash is a number 1. Test for primality. • if yes done → • if no hash the output once more. GOTO 1 → until prime ℋ ( e ) → ℋ ( ℋ ( e )) → ℋ ( ℋ ( ℋ ( e ))) → …

Overview so far • Blockchain uses an accumulator as summary of UTXO A • A = g x 1 ⋯ x m mod n , with secret primes n = pq • Clients provide witness that their unspent tx output is available • With every transaction • Clients need to update their witnesses • Costly and cumbersome

UTXO Replacement • Theoretically, bitcoin could replace the UTXO set with an RSA Accumulator A ℋ ( tx output ) • Adding the output of a new transaction: • Spending: Prove membership via witness W txo • Elements are removed, when output is spend • Witness itself is accumulator with the value

Outsourcing work • A client can outsource the witness keeping to a third party • Batching witness maintenance should be cheap • A client must be confident that the witness update was done correctly … provide witness with node Block new transaction proof of proper Block witness maintenance node task of maintaining Block node witness (and payment) Block node Witness Block Maintainer Block read recent tx’s and apply updates

Outsourcing work • Batching work is cheaper than individual witnesses maintenance • Proof of correct computation • should be cheaper than redoing the computation

BatchAdd / BatchDel • Assume we have • An accumulator A • a set of accumulated elements { x 1 , x 2 , …} • For each element a witness x i W A , x i • Now, we add (delete) an element. How many operations? • Add: exponentiate each witness O ( n ) • Delete: Recreate each witness with the new set O ( n 2 )

BatchAdd / BatchDel • Accumulator , accumulated elements A { x 1 , x 2 , …} • For each element a witness x i W A , x i • With BatchAdd / BatchDel: • Store set of base elements { x 1 , x 2 , …} • Compute jointly in { W A , x 1 , W A , x 2 , …, W A , x n } O ( n log( n )) • Per element cost of O (log( n )) https://eprint.iacr.org/2018/1188.pdf

BatchAdd / BatchDel • The function RootFactor takes as input a base number g and a set of elements and returns the list of all x 1 , x 2 , …, x n g x 2 x 3 ⋯ c n , g x 1 x 3 x 4 ⋯ x n , …, g x 1 x 2 ⋯ x n − 1 witnesses • Run time O ( n log( n ))

BatchAdd / BatchDel { x 1 , x 2 , x 3 , x 4 } g L = g x 1 x 2 , g R = g x 3 x 4 g L = ( g x 3 x 4 ) x 1 , g R = ( g x 3 x 4 ) x 2 g L = ( g x 1 x 2 ) x 3 , g R = ( g x 1 x 2 ) x 4 g x 3 x 4 x 2 g x 3 x 4 x 1 g x 1 x 2 x 4 g x 1 x 2 x 3 x 1 x 2 x 3 x 4

Proof of correct computation • Client computes x * = x 1 x 2 ⋯ c m • Database maintainer computes A ′ � = A x * and transmits • A ′ � • Proof of exponentiation for A ′ � = A x * so that ( x *, A , A ′ � )


 Proof of Exponentiation A ′ � = A x * for so that ( x *, A , A ′ � ) Prover Verifier send , random prime l q = ⌊ x * compute , residue r, l ⌋ so that x * = ql + r Q = A q mod n send Compute r = ( x mod l ) Q l A r = A ′ � mod n Accept if l A r = A ql + r = A x * = A ′ � Q l A r = ( A q ) • • Main work is done in computing A q

Proof of Exponentiation A ′ � = A x * for so that ( x *, A , A ′ � ) • Verifier • send , random prime. Assume l ∈ 0…2 λ l • receives , q • compute r = ( x mod l ) l A r = A ′ � mod n • Accept if ( A q ) ( x mod l ) Q l A r • Computing A x * , , is much cheaper than • Computing A x * λ 3 takes times as long as ( x mod l )

Trusted Setup • are toxic waste secrets p , q • we can use old factorization problems • we trust that the factors have been forgotten p , q • E.g. RSA Factoring Challenge https://en.wikipedia.org/wiki/RSA_Factoring_Challenge • Win 200000$ if you can factor n=2519590847565789349402718324004839857142928212620403202777713783604366202070759 555626401852588078440691829064124951508218929855914917618450280848912007284499268 7392807287776735971418347270261896375014971824691165077613379859095700097330459748 8084284017974291006424586918171951187461215151726546322822168699875491824224336372 5908514186546204357679842338718477444792073993423658482382428119816381501067481045 1660377306056201619676256133844143603833904414952634432190114657544454178424020924 616515723350778707749817125772467962926386356373289912154831438167899885040445364 023527381951378636564391212010397122822120720357