Abstract
Universal accumulator provides a way to accumulate a set of elements into one. For each element accumulated, it can provide a short membership (resp. nonmembership) witness to attest the fact that the element has been (resp. has not been) accumulated. When combined with a suitable zero-knowledge proof system, it can be used to construct many privacy-preserving applications. However, existing universal accumulators are usually based on non-standard assumptions, e.g., the Strong RSA assumption and the Strong Diffie-Hellman assumptions, and are not secure against quantum attacks. In this paper, we propose the first lattice-based universal accumulator from standard lattice-based assumptions. The starting point of our work is the lattice-based accumulator with Merkle-tree structure proposed by Libert et al. (Eurocrypt’16). We present a novel method to generate short witnesses for non-accumulated members in a Merkle-tree, and give the construction of universal accumulator. Besides, we also propose the first zero-knowledge arguments to prove the possession of the nonmembership witness of a non-accumulated value in the lattice-based setting via the abstract Stern’s protocol of Libert et al. (Asiacrypt’17). Moreover, our proposed universal accumulator can be used to construct many privacy-preserving cryptographic primitives, such as group signature and anonymous credential.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acar, T., Nguyen, L.: Revocation for delegatable anonymous credentials. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 423–440. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_26
Au, M.H., Tsang, P.P., Susilo, W., Mu, Y.: Dynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 295–308. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_20
Au, M.H., Wu, Q., Susilo, W., Mu, Y.: Compact E-cash from bounded accumulator. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 178–195. Springer, Heidelberg (2006). https://doi.org/10.1007/11967668_12
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Buldas, A., Laud, P., Lipmaa, H.: Accountable certificate management using undeniable attestations. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 9–17. ACM (2000)
Buldas, A., Laud, P., Lipmaa, H.: Eliminating counterevidence with applications to accountable certificate management. J. Comput. Secur. 10(3), 273–296 (2002)
Camacho, P., Hevia, A., Kiwi, M., Opazo, R.: Strong accumulators from collision-resistant hashing. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 471–486. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_32
Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_27
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Canard, S., Gouget, A.: Multiple denominations in E-cash with compact transaction data. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 82–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_9
Damgård, I., Triandopoulos, N.: Supporting non-membership proofs with bilinear-map accumulators. IACR Cryptology ePrint Archive 2008:538 (2008)
Derler, D., Hanser, C., Slamanig, D.: Revisiting cryptographic accumulators, additional properties and relations to other primitives. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 127–144. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_7
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in Ad Hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Goodrich, M.T., Tamassia, R., Hasić, J.: An efficient dynamic and distributed cryptographic accumulator*. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 372–388. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45811-5_29
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_23
Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_20
Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_17
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 101–131. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_4
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_1
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based PRFs and applications to E-Cash. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 304–335. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_11
Lin, Z., Hopper, N.: Jack: Scalable accumulator-based Nymble system. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 53–62. ACM (2010)
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8
Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_19
Ling, S., Nguyen, K., Wang, H., Xu, Y.: Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 293–312. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_15
Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)
Peikert, C., et al.: A decade of lattice cryptography. Found. Trends® Theoret. Comput. Sci. 10(4), 283–424 (2016)
Sasson, E.B., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 459–474. IEEE (2014)
Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)
Tsudik, G., Xu, S.: Accumulating composites and improved group signing. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 269–286. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_16
Acknowledgement
We appreciate the anonymous reviewers for their valuable suggestions. Part of this work was supported by the National Natural Science Foundation of China (Grant No. 61602396, U1636205, 61572294, 61632020), the MonashU-PolyU-Collinstar Capital Joint Lab on Blockchain and Cryptocurrency Technologies, and from the Research Grants Council of Hong Kong (Grant No. 25206317). The work of Junzuo Lai was supported by the National Natural Science Foundation of China (Grant No. 61572235), and Guangdong Natural Science Funds for Distinguished Young Scholar (No. 2015A030306045).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Zero-Knowledge Arguments of Knowledge
Zero-knowledge arguments of knowledge [18] (\(\mathsf {ZKAoK}\)) is an interactive protocol where a prover can convince the verifier that he possesses the witness for a statement in a \(\mathsf {NP}\) relation without revealing any information about the witness. Moreover, we require it to have the following security properties [18]:
-
Completeness. The prover can convince the verifier if he knows a witness testifying to the truth of the statement.
-
Soundness. A malicious prover cannot convince the verifier if the statement is false.
-
Zero-knowledege. A malicious verifier can know nothing but the statement is true from the proof.
-
Extractability. A probabilistic polynomial time extractor can extract the witness for a true statement from a convincing argument made by prover.
In addition, as mentioned in [16], also known as Fiat-Shamir heuristic, a three round public-coin interactive \(\mathsf {ZKAoK}\) can be transformed into a non-interactive one in the random oracle model. We refer reader to [5] for the security analysis Fiat-Shamir heuristic.
B Accumulator for Nonmembership
Observe that a universal accumulator concerns two types of witness, one is the witness for membership and another is the witness for nonmembership, where the first part is the original definition of accumulator. We refer the reader to Definition 1 in [14] for the formal definition of accumulator (for membership). For the part about nonmembership, we separate the scheme for it as follows:
Accumulator for Nonmembership. An accumulator for nonmembership is consisted of a tuple algorithms (\(\mathsf {NM\textit{-}Setup}\), \(\mathsf {NM\textit{-}Acc}\), \(\mathsf {NM\textit{-}Witness}\), \(\mathsf {NM\textit{-}Verify}\)) given below:
-
\(\mathsf {NM\textit{-}Setup}(n)\rightarrow \) pp. The algorithm takes as input a security parameter n, outputs the public parameter pp.
-
\(\mathsf {NM\textit{-}Acc}_{pp}(R) \rightarrow \) \(\mathbf {u}\). On input a set \(R = \{\mathbf {d}_0, \mathbf {d}_1,\ldots , \mathbf {d}_{N-1}\}\) with size N, the algorithm outputs the accumulator value \(\mathbf {u}\).
-
\(\mathsf {NM\textit{-}Witness}_{pp}(\mathbf {d}, R) \rightarrow \) w. On input a set R and a value \(\mathbf {d}\), if \(\mathbf {d}\) \(\in \) R, then outputs \(\perp \). Otherwise, outputs a witness w for the fact that \(\mathbf {d}\) is not accumulated in the output of \(\mathsf {NM\textit{-}Acc}_{pp}(R)\).
-
\(\mathsf {NM\textit{-}Verify}_{pp}(\mathbf {u}, \mathbf {d}, w) \rightarrow \) \(\{0, 1\}\). The algorithm outputs 1 if witness w can prove that \(\mathbf {d}\) is not accumulated into \(\mathbf {u}\). Otherwise, outputs 0.
Correctness.The correctness requires that for all pp \(\leftarrow \) \(\mathsf {NM\textit{-}Setup}(n)\), the following equation holds for all \(\mathbf {d}\notin R\):
Security Definition. An accumulator for non-membership is secure if for all probabilistic polynomial-time adversary \(\mathcal {A}\),
where negl(n) is a negligible function about n. In other words, the security says that it is computationally infeasible to prove that a value \(d^{*}\) is not accumulated in the value \(\mathbf {u}\) if it is.
It is obviously that if we run the algorithms of accumulator and accumulator for nonmembership independently, then the combination of these two parts can give a universal accumulator. More precisely, let \((\mathsf {M\textit{-}Setup}\), \(\mathsf {M\textit{-}Acc}\), \(\mathsf {M\textit{-}Witness}\), \(\mathsf {M\textit{-}Verify})\) be an accumulator scheme, and (\(\mathsf {NM\textit{-}Setup}\), \(\mathsf {NM\textit{-}Acc}\), \(\mathsf {NM\textit{-}Witness}\), \(\mathsf {NM\textit{-}Verify}\)) be an accumulator for nonmembership scheme, then a universal accumulator scheme (\(\mathsf {Setup}\), \(\mathsf {Acc}\),\(\mathsf {Witness}\),\(\mathsf {Verify}\)) can be constructed as follows:
-
\(\mathsf {Setup} (n).\) Run \(pp_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Setup}(n)\), \(pp_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Setup}(n)\). Output pp = (\(pp_{m}\), \(pp_{nm}\)).
-
\(\mathsf {Acc}_{pp}(R).\) Run \(\mathbf {u}_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Acc}_{pp_{m}}(R)\), \(\mathbf {u}_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Acc}_{pp_{nm}}(R)\). Return (\(\mathbf {u}_{m}\), \(\mathbf {u}_{nm}\)).
-
\(\mathsf {Witness}_{pp}(\mathbf {d}, R, \mathsf {type}).\) If \(\mathsf {type} = 0\), run \(w_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Witness}_{pp_{m}}\) \((\mathbf {d}, R)\), and return \(w_{m}\). Otherwise, run \(w_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Witness}_{pp_{nm}}\) \((\mathbf {d}, R)\), and return the output.
-
\(\mathsf {Verify}_{pp}(\mathbf {d}, \mathbf {u}, w, \mathsf {type}).\) If \(\mathsf {type} = 0\), then recall \(\mathsf {M\textit{-}Verify}_{pp_{m}}(\mathbf {u}, \mathbf {d}, w)\), and return the output. Otherwise, run \(\mathsf {NM\textit{-}Verify}_{pp_{nm}}(\mathbf {u}, \mathbf {d}, w)\) and return the output.
Both the correctness and the security can be reduced to underlying primitives (accumulator and accumulator for nonmembership) straightforwardly, and we just omit the details here.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Yu, Z., Au, M.H., Yang, R., Lai, J., Xu, Q. (2018). Lattice-Based Universal Accumulator with Nonmembership Arguments. In: Susilo, W., Yang, G. (eds) Information Security and Privacy. ACISP 2018. Lecture Notes in Computer Science(), vol 10946. Springer, Cham. https://doi.org/10.1007/978-3-319-93638-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-93638-3_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93637-6
Online ISBN: 978-3-319-93638-3
eBook Packages: Computer ScienceComputer Science (R0)