RSA Accumulator Oct 29, 2019 Overview Definitions modulus math - - PowerPoint PPT Presentation

RSA Accumulator

Oct 29, 2019

Overview

• Definitions
• modulus math
• RSA Accumulator
• Hash to prime
• Efficient algorithms (Batching)
• Trusted Setup problem
• Class Group accumulators

Terminology

• Accumulator: “A cryptographic accumulator is a primitive

that produces a short binding commitment to a set of elements together with short membership/non-membership proofs for any element in the set.”

• Dynamic Accumulator: “Accumulator which supports

addition/deletion of elements with O(1) cost, independent of the number of accumulated elements”

• Universal Accumulator: “Dynamic Accumulator which

supports membership and non-membership proofs”

— D. Boneh, B. Bünz, B. Fisch, “Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains”, 2018

Accumulator

• What exactly do we need for an accumulator?
• Base value (i.e. Merkle Tree root)
• Either
• the set of inputs (to generate a membership proof
• n-the-fly when needed)
• or the set of membership proofs for each element

= Accumulator = Witness

Module Math

+4

(a + b) mod N = ((a mod N) + (b mod N) mod N)

Addition, Multiplication,

• etc. all well defined

N prime (13)

Module Math

(a + b) mod N = ((a mod N) + (b mod N) mod N)

N prime (13)

A generator is an element so that produce all elements. E.g.: Number of generators called If is prime, then (every number except 0 is generator)

x {x,2x,3x, …} x = 4 ⇒ 4,8,12,3,7,11,2,6,10,1,5,9,0 Φ(N) N Φ(N) = N − 1

Module Math

N not prime (14)

If is not prime, some numbers are not generators. I.e. (1,3,5,7,9,11,13, can not be generated)

N x = 6 ⇒ 6,12,4,10,2,8,0,6,…

Module Math

• If

, with prime, then the number of generators is

N = pq p, q Φ(N) = (p − 1)(q − 1)

Module Math

N not prime (14)

N = 14,p = 2,q = 7,Φ(14) = 6

0: {0} 1: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 2: {0, 2, 4, 6, 8, 10, 12} 3: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 4: {0, 2, 4, 6, 8, 10, 12} 5: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 6: {0, 2, 4, 6, 8, 10, 12} 7: {0, 7} 8: {0, 2, 4, 6, 8, 10, 12} 9: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 10: {0, 2, 4, 6, 8, 10, 12} 11: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 12: {0, 2, 4, 6, 8, 10, 12} 13: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13}

Module Math Group with unknown order

• Assume 2 large prime numbers

and

• It is impossible to compute and given
• Number of generators

is secret

• Do all math
• if

then (used is RSA crypto)

• E.g.
• 5 is the inverse of

, because

p, q n = pq p q n Φ(n) = (p − 1)(q − 1) mod n gcd(a, n) = 1 aϕ(n)−1 = a−1 mod n 3ϕ(14)−1 = 36−1 = 35 mod 14 = 5 mod 14 3 mod 14 3 ⋅ 5 = 15 = 1 mod 14

Module Math Group with unknown order

• Assume 2 large prime numbers

and

• Number of generators
• :
• Without

, no

• Without

, no inverse

• and also no roots

p, q n = pq Φ(n) = (p − 1)(q − 1) gcd(a, n) = 1 aϕ(n)−1 = a−1 mod n p, q ϕ(n) ϕ(n) a

1 x mod n

RSA Accumulator

• Using modulo math, assume we have a number
• Assume we have a hash function that creates a prime

number as output

• Then

is a RSA-Accumulator

A ∈ ℤN ℋP(…) A′ = Aℋp(document)

RSA Acumulator

• Init: Empty accumulator
• Add an element

(if is prime)

• Witness:

, because

• The accumulator without the element is the witness
• Verify by adding the element and check for equality

A random ← ℤn Anew = Ae mod n e A

1 e

(A

1 e)

e

= A

RSA Accumulator

• If the order is unknown,

can not be computed

• When adding an element, keep the old accumulator as

witness

• When adding further elements, update the witnesses

A

1 e

Witness

A Ae

add e

keep A as witness for e

Adding element to accumulator

e A

A

Witness

A Ae

add e

keep A as witness for e

Adding element to accumulator

f A′

add f

A

Aef

Af

add f

update witness for e

Ae

keep as witness for f

Ae

Witness

A Ae

add e

keep A as witness for e

Adding element to accumulator

f A′

add f

A

Aef

Af

add f

update witness for e

Ae

keep as witness for f

Ae

Verify:

(Af)

e = Aef

(Ae)

f = Aef

Witnesses

• Accumulator
• has accumulated the set
• is a single number (2048 bits), independent of the size of

the set

• A witness

for an element is simply

• a single number
• Verification via one exponentiation

B = Ae1⋅e2⋯en B 𝒯 = {e1, e2, …, en} B 𝒯 Wei ei Ae1⋯ei−1ei+1⋯en (Wei)

ei ?

= B

Hash to prime

• Currently we treated all elements as prime numbers
• We need a hash function that produces primes

ei

Hash to prime

• Currently we treated all elements as prime numbers
• We need a hash function that produces primes
• The output of a hash is a number
• 1. Test for primality.
• if yes

done

• if no

hash the output once more. GOTO 1 until prime

ei → → ℋ(e) → ℋ(ℋ(e)) → ℋ(ℋ(ℋ(e))) → …

Overview so far

• Blockchain uses an accumulator as summary of UTXO
• , with

secret primes

• Clients provide witness that their unspent tx output is

available

• With every transaction
• Clients need to update their witnesses
• Costly and cumbersome

A A = gx1⋯xm mod n n = pq

UTXO Replacement

• Theoretically, bitcoin could replace the UTXO set with an

RSA Accumulator

• Adding the output of a new transaction:
• Spending: Prove membership via witness
• Elements are removed, when output is spend
• Witness itself is accumulator with the value

Aℋ(tx output) Wtxo

Outsourcing work

• A client can outsource the witness keeping to a third party
• Batching witness maintenance should be cheap
• A client must be confident that the witness update was

done correctly

Block Block Block Block Block Block

…

Witness Maintainer node node node node

provide witness with new transaction read recent tx’s and apply updates proof of proper witness maintenance task of maintaining witness (and payment)

Outsourcing work

• Batching work is cheaper than individual witnesses

maintenance

• Proof of correct computation
• should be cheaper than redoing the computation

BatchAdd / BatchDel

• Assume we have
• An accumulator
• a set of accumulated elements
• For each element a witness
• Now, we add (delete) an element. How many operations?
• Add: exponentiate each witness
• Delete: Recreate each witness with the new set

A {x1, x2, …} xi WA,xi O(n) O(n2)

BatchAdd / BatchDel

• Accumulator , accumulated elements
• For each element a witness
• With BatchAdd / BatchDel:
• Store set of base elements
• Compute jointly

in

• Per element cost of

A {x1, x2, …} xi WA,xi {x1, x2, …} {WA,x1, WA,x2, …, WA,xn} O(n log(n)) O(log(n))

https://eprint.iacr.org/2018/1188.pdf

BatchAdd / BatchDel

• The function RootFactor takes as input a base number

and a set of elements and returns the list of all witnesses

• Run time

g x1, x2, …, xn gx2x3⋯cn, gx1x3x4⋯xn, …, gx1x2⋯xn−1 O(n log(n))

BatchAdd / BatchDel

gx3x4x2 gx3x4x1 gx1x2x4

gx1x2x3

gL = (gx3x4)x1, gR = (gx3x4)x2

x1 x2 x3 x4 gL = gx1x2, gR = gx3x4

gL = (gx1x2)x3, gR = (gx1x2)x4

{x1, x2, x3, x4}

Proof of correct computation

• Client computes
• Database maintainer computes

and transmits

• Proof of exponentiation for

so that

x* = x1x2⋯cm A′ = Ax* A′ (x*, A, A′) A′ = Ax*

Proof of Exponentiation

for so that

(x*, A, A′) A′ = Ax*

Prover 


compute , residue r, so that send

q = ⌊ x* l ⌋ x* = ql + r Q = Aq mod n

Verifier

send , random prime Compute Accept if

l r = (x mod l) QlAr = A′ mod n

• Main work is done in computing

QlAr = (Aq)

l Ar = Aql+r = Ax* = A′

Aq

Proof of Exponentiation

for so that

(x*, A, A′) A′ = Ax*

• Verifier
• send , random prime. Assume
• receives ,
• compute
• Accept if
• Computing

, , is much cheaper than

• Computing

takes times as long as

l l ∈ 0…2λ q r = (x mod l) (Aq)

l Ar = A′ mod n

(x mod l) Ql Ar Ax* Ax* λ3 (x mod l)

Trusted Setup

• are toxic waste secrets
• we can use old factorization problems
• we trust that the factors

have been forgotten

• E.g. RSA Factoring Challenge

https://en.wikipedia.org/wiki/RSA_Factoring_Challenge

• Win 200000$ if you can factor

n=2519590847565789349402718324004839857142928212620403202777713783604366202070759 555626401852588078440691829064124951508218929855914917618450280848912007284499268 7392807287776735971418347270261896375014971824691165077613379859095700097330459748 8084284017974291006424586918171951187461215151726546322822168699875491824224336372 5908514186546204357679842338718477444792073993423658482382428119816381501067481045 1660377306056201619676256133844143603833904414952634432190114657544454178424020924 616515723350778707749817125772467962926386356373289912154831438167899885040445364 023527381951378636564391212010397122822120720357

p, q p, q

Class Group Accumulators

Class Group accumulators work similarly, no trusted setup

• Consider the ring of integers of a quadratic extension

with large prime and

• The set of all fractions

were

ℚ ( −p) p p = 3 mod 4 x + y −p a + b 1 + −p 2

Class Group Accumulators

Example:

• In this ring we observer no unique factorization

ℚ ( −5) 6 = 2 ⋅ 3 = (1 + −5) (1 − −5)

Elements of

ℚ ( −5)

Class Group Accumulators

Class Group accumulators work similarly, no trusted setup

• Ideal: all numbers generated by a multiplication of a base

elements

• Ex.: Every number of

can be generated via

• Principle Ideals: If the ideal is generated by a single

element, i.e. (principle ideals of even numbers)

(α1, …, αk) = {c1α1 + c2α2 + … + ckαk} ℚ ( −5) c1 ⋅ 2 + c2 ⋅ (1 + −5) (2) = 2ℤ

Class Group Accumulators

• Class group :
• where is the subgroup of principle ideals in

ℚ ( −p)/J

J ℚ ( −p)

just like mod

Class Group Accumulators

• Example:

,

ℚ ( −5) J = (2,1 + −5)

Elements of This looks the same as the the ring (2 subgroups of

• rder 2 and 3)

ℚ ( −5)/J x mod 6

Class Group Accumulators

• Pick a random, large integer

:

• Use the elements of the class group of
• Group order,

roots are believed to be hard to compute

• Exponentiation slower, otherwise everything the same

p = 3 mod 4 ℚ ( −p)

nth

Summary

• Accumulators are can be used to squeeze a large set into a

single element

• Merkle Tree root can be seen as an accumulator
• Even a blockchain is an accumulator
• Dynamic accumulators: adding and deleting elements
• Efficient accumulators perform adding/deleting in
• As a UTXO replacement, they shift the burden of tracking the

UTXO set to the individual users

O(1)

Remarks

• Several algorithms exist to deal with large numbers of

elements

• Naively, updating

elements requires steps

• Intelligently done, only

steps are needed

• If the prime values

are known, a new witness can be invented, since can be computed easily for any

• are called toxic waste (trusted setup)

M O(M) O(log M) p, q A1/x x p, q