## Dynamic accumulators and application to efficient revocation of anonymous credentials

### Cached

### Download Links

Venue: | http://eprint.iacr.org/2001, 2001. Jan Camenisch and Anna Lysyanskaya |

Citations: | 175 - 11 self |

### BibTeX

@INPROCEEDINGS{Camenisch_dynamicaccumulators,

author = {Jan Camenisch and Anna Lysyanskaya},

title = {Dynamic accumulators and application to efficient revocation of anonymous credentials},

booktitle = {http://eprint.iacr.org/2001, 2001. Jan Camenisch and Anna Lysyanskaya},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zero-knowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.

### Citations

482 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...sumption states that this problem is hard to solve. The strong RSA assumption [3,18] is a common number-theoretic assumption that, in particular, is the basis for several cryptographic schemes (e.g., =-=[1,11,16,19]-=-). By QRn we denote the group of quadratic residues modulo n. We use notation introduced by Camenisch and Stadler [13] for the various zero-knowledge proofs of knowledge of discrete logarithms and pro... |

415 | Security and Composition of Multi-party Cryptographic Protocols. To appear in the Journal of Cryptology. Available from the Theory of Cryptography Library at http://philby.ucsd.edu/cryptlib - Canetti - 1998 |

287 | Efficient group signature schemes for large groups (extended abstract
- Camenisch, Stadler
(Show Context)
Citation Context ...t for large groups. This drawback is overcome by schemes where the size of the group’s public key as well as the complexity of proving and verifying membership is independent of the number of members =-=[13,21,12,1]-=-. The idea underlying these schemes is that the group public key contains the group manager’s public key of a suitable signature scheme. To become a group member, a user chooses a membership public ke... |

255 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ...d-choose for the Barić and Pfitzmann’s [3] construction). From the above, we obtain an efficient mechanism for revoking group membership for the Ateniese et al. identity escrow/group signature scheme =-=[1]-=- (the most efficient secure identity escrow/group signature scheme known to date) and a credential revocation mechanism for Camenisch and Lysyanskaya’s [9] credential system. The construction can be a... |

235 |
Rethinking Public Key Infrastructure and Digital Certificates— Building in Privacy
- Brands
- 1999
(Show Context)
Citation Context ...row scheme and the Camenisch-Lysyanskaya credential system [1,9]. However, it is not hard to see how to add revocation for other schemes and systems that use some form of anonymous credentials (e.g., =-=[5,11,12,10,13,21,23]-=-). 4.2 The ACJT Identity Escrow Scheme and Its Friends An identity escrow scheme involves a membership manager, who is responsible for adding and deleting members, an anonymity revocation manager, who... |

172 | Collision-free accumulators and fail-stop signature schemes without trees
- Baric, Pfitzmann
(Show Context)
Citation Context ...s incorporated into the accumulator. At the same time, it is infeasible to find a witness for a value that was not accumulated. Extending the ideas due to Benaloh and de Mare [4], Barić and Pfitzmann =-=[3]-=- give an efficient construction of so-called collision-resistant accumulators, based on the strong RSA assumption. We propose a variant of the cited construction with the additional advantage that, us... |

146 | Composition and Integrity Preservation of Secure Reactive Systems - Pfitzmann, Waidner - 2000 |

136 |
Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, proc. of Crypto 97, Springer Verlag LNCS series 1294
- Fujisaki
(Show Context)
Citation Context ... the following. Given an RSA modulus n and a random element v ∈ Z∗ n find e > 1 and u such that z = ue . The strong RSA assumption states that this problem is hard to solve. The strong RSA assumption =-=[3,18]-=- is a common number-theoretic assumption that, in particular, is the basis for several cryptographic schemes (e.g., [1,11,16,19]). By QRn we denote the group of quadratic residues modulo n. We use not... |

130 | Secure hash-and-sign signatures without the random oracle
- Gennaro, Halevi, et al.
- 1999
(Show Context)
Citation Context ...sumption states that this problem is hard to solve. The strong RSA assumption [3,18] is a common number-theoretic assumption that, in particular, is the basis for several cryptographic schemes (e.g., =-=[1,11,16,19]-=-). By QRn we denote the group of quadratic residues modulo n. We use notation introduced by Camenisch and Stadler [13] for the various zero-knowledge proofs of knowledge of discrete logarithms and pro... |

123 | Pseudonym systems
- Lysyanskaya, Rivest, et al.
(Show Context)
Citation Context ...row scheme and the Camenisch-Lysyanskaya credential system [1,9]. However, it is not hard to see how to add revocation for other schemes and systems that use some form of anonymous credentials (e.g., =-=[5,11,12,10,13,21,23]-=-). 4.2 The ACJT Identity Escrow Scheme and Its Friends An identity escrow scheme involves a membership manager, who is responsible for adding and deleting members, an anonymity revocation manager, who... |

121 | One-way accumulators: A decentralized alternative to digital signatures
- Benaloh, Mare
- 1993
(Show Context)
Citation Context ... anonymous. M. Yung (Ed.): CRYPTO 2002, LNCS 2442, pp. 61–76, 2002. c○ Springer-Verlag Berlin Heidelberg 200262 Jan Camenisch and Anna Lysyanskaya Accumulators were introduced by Benaloh and de Mare =-=[4]-=- as a way to combine a set of values into one short accumulator, such that there is a short witness that a given value was incorporated into the accumulator. At the same time, it is infeasible to find... |

94 |
Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation
- Camenisch, Lysyanskaya
- 2001
(Show Context)
Citation Context ...t al. identity escrow/group signature scheme [1] (the most efficient secure identity escrow/group signature scheme known to date) and a credential revocation mechanism for Camenisch and Lysyanskaya’s =-=[9]-=- credential system. The construction can be applied to other such schemes as well. The idea is to incorporate the public key for an accumulator scheme into the group manager’s (resp., organization’s) ... |

86 |
A group signature scheme with improved efficiency (extended abstract
- Camenisch, Michels
(Show Context)
Citation Context ...sumption states that this problem is hard to solve. The strong RSA assumption [3,18] is a common number-theoretic assumption that, in particular, is the basis for several cryptographic schemes (e.g., =-=[1,11,16,19]-=-). By QRn we denote the group of quadratic residues modulo n. We use notation introduced by Camenisch and Stadler [13] for the various zero-knowledge proofs of knowledge of discrete logarithms and pro... |

85 |
On the Generation of Cryptographically Strong Pseudo-Random Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...milar to the one given by Barić-Pfitzmann for their construction (the difference being that we do not require x ′ to be prime). The proof by BarićPfitzmann is actually the same as one given by Shamir =-=[26]-=-. Suppose we are given an adversary A that, on input n and u ∈R QRn, outputs m primes x1,...,xm ∈XA,B and u ′ ∈ Z∗ n, x ′ ∈X ′ A,B such that (u′) x′ = u ∏ xi . Let us use A to break the strong RSA ass... |

82 | Studies in Secure Multiparty Computation and Applications - Canetti - 1995 |

78 | Fujisaki: An Integer Commitment Scheme based on Groups with Hidden Order, Manuscript, 2001, available from the ePrint archive
- Damgard
(Show Context)
Citation Context ...lators and Revocation of Anonymous Credentials 71 can compute a non-trivial root of g with probability at least 1/2. This, however, is not feasible under the strong RSA assumption. We refer to, e.g., =-=[17]-=- for the details of such a reduction.) Let ˆα = ∆α/∆c, ˆη = ∆η/∆c, ˆε = ∆ε/∆c and ˆ ζ = ∆ζ/∆c. Because |c|, |c ′ | <p ′ ,q ′ ,wegetCr = ah ˆε g ˆ ζ for some a such that a 2 = 1. Moreover, the value a ... |

77 | Separability and efficiency for generic group signature schemes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...t for large groups. This drawback is overcome by schemes where the size of the group’s public key as well as the complexity of proving and verifying membership is independent of the number of members =-=[13,21,12,1]-=-. The idea underlying these schemes is that the group public key contains the group manager’s public key of a suitable signature scheme. To become a group member, a user chooses a membership public ke... |

75 | Identity escrow
- Kilian, Petrank
(Show Context)
Citation Context ...t for large groups. This drawback is overcome by schemes where the size of the group’s public key as well as the complexity of proving and verifying membership is independent of the number of members =-=[13,21,12,1]-=-. The idea underlying these schemes is that the group public key contains the group manager’s public key of a suitable signature scheme. To become a group member, a user chooses a membership public ke... |

72 | Efficient and Generalized Group Signatures
- Camenisch
- 1997
(Show Context)
Citation Context ... cryptographic assumption. We therefore do not discuss the detail involved here.Dynamic Accumulators and Revocation of Anonymous Credentials 63 Related Work. For the class of group signature schemes =-=[15,7]-=- where the group’s public key contains a list of the public keys of all the group members, excluding a member is straightforward: the group manager only needs to remove the affected member’s key from ... |

62 |
New group signature schemes
- Chen, Pedersen
(Show Context)
Citation Context ... cryptographic assumption. We therefore do not discuss the detail involved here.Dynamic Accumulators and Revocation of Anonymous Credentials 63 Related Work. For the class of group signature schemes =-=[15,7]-=- where the group’s public key contains a list of the public keys of all the group members, excluding a member is straightforward: the group manager only needs to remove the affected member’s key from ... |

60 | Quasi-efficient revocation of group signatures
- Ateniese, Song, et al.
(Show Context)
Citation Context .... As we have noted above, this linear dependency comes in three flavors: (1) the burden being64 Jan Camenisch and Anna Lysyanskaya on the group manager to re-issue certificates in every time period; =-=(2)-=- the burden being on the group member to prove that his certificate is different from any of those that have been revoked and on the verifier to check this; or (3) the burden being on the verifier to ... |

41 | Practical forward-secure group signature schemes
- Song
(Show Context)
Citation Context ...mplexity of proving and verifying signatures are linear in the number of excluded members. In particular, this means that the size of a group signature grows with the number of excluded members. Song =-=[27]-=- presents an alternative approach in conjunction with a construction that yields forward secure group signature schemes based on the ACJT group signature scheme [1]. While here the size of a group sig... |

24 | How to Prove All NP Statements in Zero-Knowledge and a Methodology of Cryptographic
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...roofs allows one to prove that a committed value is in the accumulator. We show that this can be done efficiently (i.e., not by reducing to an NP-complete problem and then using the fact that NP ⊆ ZK =-=[20]-=- and not by using cut-and-choose for the Barić and Pfitzmann’s [3] construction). From the above, we obtain an efficient mechanism for revoking group membership for the Ateniese et al. identity escrow... |

22 | An identity escrow scheme with appointed verifiers
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...row scheme and the Camenisch-Lysyanskaya credential system [1,9]. However, it is not hard to see how to add revocation for other schemes and systems that use some form of anonymous credentials (e.g., =-=[5,11,12,10,13,21,23]-=-). 4.2 The ACJT Identity Escrow Scheme and Its Friends An identity escrow scheme involves a membership manager, who is responsible for adding and deleting members, an anonymity revocation manager, who... |

18 | and Erez Petrank. Identity escrow - Kilian - 1998 |

16 | Avi Wigderson. How to prove all np-statements in zeroknowledge, and a methodology of cryptographic protocol design - Goldreich, Micali - 1986 |

8 |
Group signatures with efficient revocation
- Bresson, Stern
- 2001
(Show Context)
Citation Context ...quite a burden on the group manager, especially for large groups. Another approach is to incorporate a list of revoked certificates and their corresponding membership keys into the group’s public key =-=[6]-=-. In this solution, when proving membership, a user has to prove that his or her membership public key does not appear on the list. Hence, the size of the public key as well as the complexity of provi... |

8 |
Efficient and secure member deletion in group signature schemes
- Kim, Lim, et al.
- 2001
(Show Context)
Citation Context ...exity of proving/signing and verifying to be rather high compared to underlying scheme (about a factor of 90 for reasonable security parameters). Finally, we point out that the proposal by Kim et al. =-=[22]-=- is broken, i.e., excluded group members can still prove membership (after the group manager changed the group’s key, excluded members can update their membership information in the very same way as n... |

5 |
auditable membership proofs
- Blind
- 2001
(Show Context)
Citation Context ... additional burden on the verifier is simply that he should look at the public key frequently (which seems unavoidable); the verifier need not read the archive. We note that Sander, Ta-Shma, and Yung =-=[25]-=- also provide a zero-knowledge proof of member knowledge for the Barić-Pfitzmann accumulator. Their proof uses commitments for each of the bits of value contained in the accumulator. In contrast, the ... |

2 | Ateniese and Gene Tsudik. Quasi-efficient revocation of group signatures - Giuseppe - 2001 |

1 |
Quasi-efficient revocation of group signatures. http: //eprint.iacr.org/2001/101
- Ateniese, Tsudik
- 2001
(Show Context)
Citation Context ...on the total number of deleted members. As we have noted above, this linear dependency comes in three flavors: (1) the burden being on the group manager to re-issue certificates in every time period; =-=(2)-=- the burden being on the group member to prove that his certificate is different from any of those that have been revoked and on the verifier to check this; or (3) the burden being on the verifier to ... |