Lattice-Based Universal Accumulator with Nonmembership Arguments

Abstract

Universal accumulator provides a way to accumulate a set of elements into one. For each element accumulated, it can provide a short membership (resp. nonmembership) witness to attest the fact that the element has been (resp. has not been) accumulated. When combined with a suitable zero-knowledge proof system, it can be used to construct many privacy-preserving applications. However, existing universal accumulators are usually based on non-standard assumptions, e.g., the Strong RSA assumption and the Strong Diffie-Hellman assumptions, and are not secure against quantum attacks. In this paper, we propose the first lattice-based universal accumulator from standard lattice-based assumptions. The starting point of our work is the lattice-based accumulator with Merkle-tree structure proposed by Libert et al. (Eurocrypt’16). We present a novel method to generate short witnesses for non-accumulated members in a Merkle-tree, and give the construction of universal accumulator. Besides, we also propose the first zero-knowledge arguments to prove the possession of the nonmembership witness of a non-accumulated value in the lattice-based setting via the abstract Stern’s protocol of Libert et al. (Asiacrypt’17). Moreover, our proposed universal accumulator can be used to construct many privacy-preserving cryptographic primitives, such as group signature and anonymous credential.

Appendices

A Zero-Knowledge Arguments of Knowledge

Zero-knowledge arguments of knowledge [18] (\(\mathsf {ZKAoK}\)) is an interactive protocol where a prover can convince the verifier that he possesses the witness for a statement in a \(\mathsf {NP}\) relation without revealing any information about the witness. Moreover, we require it to have the following security properties [18]:

• Completeness. The prover can convince the verifier if he knows a witness testifying to the truth of the statement.

• Soundness. A malicious prover cannot convince the verifier if the statement is false.

• Zero-knowledege. A malicious verifier can know nothing but the statement is true from the proof.

• Extractability. A probabilistic polynomial time extractor can extract the witness for a true statement from a convincing argument made by prover.

In addition, as mentioned in [16], also known as Fiat-Shamir heuristic, a three round public-coin interactive \(\mathsf {ZKAoK}\) can be transformed into a non-interactive one in the random oracle model. We refer reader to [5] for the security analysis Fiat-Shamir heuristic.

B Accumulator for Nonmembership

Observe that a universal accumulator concerns two types of witness, one is the witness for membership and another is the witness for nonmembership, where the first part is the original definition of accumulator. We refer the reader to Definition 1 in  [14] for the formal definition of accumulator (for membership). For the part about nonmembership, we separate the scheme for it as follows:

Accumulator for Nonmembership. An accumulator for nonmembership is consisted of a tuple algorithms (\(\mathsf {NM\textit{-}Setup}\), \(\mathsf {NM\textit{-}Acc}\), \(\mathsf {NM\textit{-}Witness}\), \(\mathsf {NM\textit{-}Verify}\)) given below:

• \(\mathsf {NM\textit{-}Setup}(n)\rightarrow \) pp. The algorithm takes as input a security parameter n, outputs the public parameter pp.

• \(\mathsf {NM\textit{-}Acc}_{pp}(R) \rightarrow \) \(\mathbf {u}\). On input a set \(R = \{\mathbf {d}_0, \mathbf {d}_1,\ldots , \mathbf {d}_{N-1}\}\) with size N, the algorithm outputs the accumulator value \(\mathbf {u}\).

• \(\mathsf {NM\textit{-}Witness}_{pp}(\mathbf {d}, R) \rightarrow \) w. On input a set R and a value \(\mathbf {d}\), if \(\mathbf {d}\) \(\in \) R, then outputs \(\perp \). Otherwise, outputs a witness w for the fact that \(\mathbf {d}\) is not accumulated in the output of \(\mathsf {NM\textit{-}Acc}_{pp}(R)\).

• \(\mathsf {NM\textit{-}Verify}_{pp}(\mathbf {u}, \mathbf {d}, w) \rightarrow \) \(\{0, 1\}\). The algorithm outputs 1 if witness w can prove that \(\mathbf {d}\) is not accumulated into \(\mathbf {u}\). Otherwise, outputs 0.

Correctness.The correctness requires that for all pp \(\leftarrow \) \(\mathsf {NM\textit{-}Setup}(n)\), the following equation holds for all \(\mathbf {d}\notin R\):

$$\begin{aligned} \mathsf {NM\textit{-}Verify}_{pp}(\mathsf {NM\textit{-}Acc}_{pp}(R), \mathbf {d}, \mathsf {NM\textit{-}Witness}_{pp}(\mathbf {d}, R)) = 1. \end{aligned}$$

Security Definition. An accumulator for non-membership is secure if for all probabilistic polynomial-time adversary \(\mathcal {A}\),

$$\begin{aligned} Pr[ pp \leftarrow \mathsf {NM\textit{-}Setup}(n); (L, d^{*}, \mathbf {w}^{*}) \leftarrow \mathcal {A}(pp): d^{*} \in L \wedge \\ \mathsf {NM\textit{-}Verify}_{pp}(\mathsf {NM\textit{-}Acc}_{pp}(L), d^{*}, \mathbf {w}^{* }) =1] = negl(n), \end{aligned}$$

where negl(n) is a negligible function about n. In other words, the security says that it is computationally infeasible to prove that a value \(d^{*}\) is not accumulated in the value \(\mathbf {u}\) if it is.

It is obviously that if we run the algorithms of accumulator and accumulator for nonmembership independently, then the combination of these two parts can give a universal accumulator. More precisely, let \((\mathsf {M\textit{-}Setup}\), \(\mathsf {M\textit{-}Acc}\), \(\mathsf {M\textit{-}Witness}\), \(\mathsf {M\textit{-}Verify})\) be an accumulator scheme, and (\(\mathsf {NM\textit{-}Setup}\), \(\mathsf {NM\textit{-}Acc}\), \(\mathsf {NM\textit{-}Witness}\), \(\mathsf {NM\textit{-}Verify}\)) be an accumulator for nonmembership scheme, then a universal accumulator scheme (\(\mathsf {Setup}\), \(\mathsf {Acc}\),\(\mathsf {Witness}\),\(\mathsf {Verify}\)) can be constructed as follows:

• \(\mathsf {Setup} (n).\) Run \(pp_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Setup}(n)\), \(pp_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Setup}(n)\). Output pp = (\(pp_{m}\), \(pp_{nm}\)).

• \(\mathsf {Acc}_{pp}(R).\) Run \(\mathbf {u}_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Acc}_{pp_{m}}(R)\), \(\mathbf {u}_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Acc}_{pp_{nm}}(R)\). Return (\(\mathbf {u}_{m}\), \(\mathbf {u}_{nm}\)).

• \(\mathsf {Witness}_{pp}(\mathbf {d}, R, \mathsf {type}).\) If \(\mathsf {type} = 0\), run \(w_{m}\) \(\leftarrow \) \(\mathsf {M\textit{-}Witness}_{pp_{m}}\) \((\mathbf {d}, R)\), and return \(w_{m}\). Otherwise, run \(w_{nm}\) \(\leftarrow \) \(\mathsf {NM\textit{-}Witness}_{pp_{nm}}\) \((\mathbf {d}, R)\), and return the output.

• \(\mathsf {Verify}_{pp}(\mathbf {d}, \mathbf {u}, w, \mathsf {type}).\) If \(\mathsf {type} = 0\), then recall \(\mathsf {M\textit{-}Verify}_{pp_{m}}(\mathbf {u}, \mathbf {d}, w)\), and return the output. Otherwise, run \(\mathsf {NM\textit{-}Verify}_{pp_{nm}}(\mathbf {u}, \mathbf {d}, w)\) and return the output.

Both the correctness and the security can be reduced to underlying primitives (accumulator and accumulator for nonmembership) straightforwardly, and we just omit the details here.