Results 1 
3 of
3
Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives?
"... Abstract. Cryptographic accumulators allow to accumulate a finite set of values into a single succinct accumulator. For every accumulated value, one can efficiently compute a witness, which certifies its membership in the accumulator. However, it is computationally infeasible to find a witness for ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Cryptographic accumulators allow to accumulate a finite set of values into a single succinct accumulator. For every accumulated value, one can efficiently compute a witness, which certifies its membership in the accumulator. However, it is computationally infeasible to find a witness for any nonaccumulated value. Since their introduction, various accumulator schemes for numerous practical applications and with different features have been proposed. Unfortunately, to date there is no unifying model capturing all existing features. Such a model can turn out to be valuable as it allows to use accumulators in a blackbox fashion. To this end, we propose a unified formal model for (randomized) cryptographic accumulators which covers static and dynamic accumulators, their universal features and includes the notions of undeniability and indistinguishability. Additionally, we provide an exhaustive classification of all existing schemes. In doing so, it turns out that most accumulators are distinguishable. Fortunately, a simple, lightweight generic transformation allows to make many existing dynamic accumulator schemes indistinguishable. As this transformation, however, comes at the cost of reduced collision freeness, we additionally propose the first indistinguishable scheme that does not suffer from this shortcoming. Finally, we employ our unified model for presenting a blackbox construction of commitments from indistinguishable accumulators as well as a blackbox construction of indistinguishable, undeniable universal accumulators from zeroknowledge sets. Latter yields the first universal accumulator construction that provides indistinguishability. 1
ZeroKnowledge Accumulators and Set Operations
, 2015
"... Accumulators provide a way to succinctly represent a set with elements drawn from a given domain, using an accumulation value. Subsequently, short proofs for the setmembership (or nonmembership) of any element from the domain can be constructed and efficiently verified with respect to this accum ..."
Abstract
 Add to MetaCart
(Show Context)
Accumulators provide a way to succinctly represent a set with elements drawn from a given domain, using an accumulation value. Subsequently, short proofs for the setmembership (or nonmembership) of any element from the domain can be constructed and efficiently verified with respect to this accumulation value. Accumulators have been widely studied in the literature, primarily, as an authentication primitive: a malicious prover (e.g., an untrusted server) should not be able to provide convincing proofs on false statements (e.g., successfully prove membership for a value not in the set) to a verifier that issues membership queries (of course, having no access to set itself). In essence, in existing constructions the accumulation value acts as a (honestly generated) “commitment” to the set that allows selective “opening ” as specified by membership queries—but with no “hiding ” properties. In this paper we revisit this primitive and propose a privacypreserving enhancement. We define the notion of a zeroknowledge accumulator that provides the following very strong privacy notion: Accumulation values and proofs constructed during the protocol execution leak nothing about the set itself, or any subsequent updates to it (i.e., via element insertions/deletions). We formalize this property by a standard real/ideal execution game. An adversarial party that is allowed to choose the set and is given access to query and update oracles, cannot distinguish whether this interaction takes place with respect to the honestly executed algorithms of the scheme or with a simulator that is not given access to the set itself (and for updates, it does not even learn the type of update
Almost Optimal Short Adaptive NonInteractive Zero Knowledge First eprint version, May 30, 2014
"... Abstract. Several recent short NIZK arguments are constructed in a modular way from a small number of basic arguments like the product argument or the shift argument. The main technical novelty of the current work is a significantly more efficient version of the product argument. Based on this, we p ..."
Abstract
 Add to MetaCart
Abstract. Several recent short NIZK arguments are constructed in a modular way from a small number of basic arguments like the product argument or the shift argument. The main technical novelty of the current work is a significantly more efficient version of the product argument. Based on this, we propose an adaptive NIZK range argument with almost optimal complexity: constant communication (in group elements), constant verifier’s computational complexity (in cryptographic operations), and Θ(n logn) [resp., Θ(n)] prover’s computational complexity (in noncryptographic [resp., cryptographic] operations). The latter can be compared to n logω(1) n in the most efficient published short adaptive noninteractive range argument, or Θ(n log2 n) [resp., Θ(n logn)] that is achievable when following QAPbased framework from Eurocrypt 2013. Here, n is the logarithm of the range length. The new product argument can be used to construct efficient adaptive NIZK arguments for many other languages, including several that are NPcomplete like SubsetSum. Importantly, for all such languages, new adaptive arguments achieve better prover’s computation than the QAPbased framework.