Abstract. A cryptographic accumulator is a scheme where a set of elements is represented by a single short value. This value, along with another value called witness, allows to prove membership into the set. If new values are added or existent values are deleted from the accumulator, then the accumulated value changes and the witnesses need to be updated. In their survey on accumulators [6], Fazio and Nicolosi noted that Camenisch and Lysyanskaya's construction [3] was such that the time to update a witness after m changes to the accumulated value was proportional to m. They posed the question whether batch update was possible, namely if a cryptographic accumulator where the time to update witnesses is independent from the number of changes in the accumulated set exists. Recently, Wang et al. answered positively by giving a construction for an accumulator with batch update [9,10]. In this work, we show that the construction is not secure by exhibiting an attack. Moreover, we prove it cannot be fixed. If the accumulated value has been updated m times then the time to update a witness must be at least Ω(m) in the worst case.
A transitive signature scheme allows to sign a graph in such a way that, given the signatures of edges (a, b) and (b, c), it is possible to compute the signature for the edge (or path) (a, c) without the signer's secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the case of directed trees (DT T S) was given by Yi at CT-RSA 2007. In Yi's construction, the signature for an edge is O(n(log(n log n))) bits long in the worst case. A year later, Neven designed a simpler scheme where the signature size is reduced to O(n log n) bits. Although Neven's construction is more efficient, O(n log n)-bit long signatures still remains impractical for large n.In this work, we propose a new DT T S scheme such that, for any value λ ≥ 1 and security parameter κ:• Signatures for edges are only O(κλ) bits long.• Signing or verifying a signature for an edge requires O(λ) cryptographic operations.• Computing a signature for an edge requires O(λn 1/λ ) cryptographic operations.To the best of our knowledge this is the first construction with such a trade off. In particular, we can achieve O(κ log(n))-bit long signatures while taking only O(log(n)) time to generate edge signatures, verify or even compute edge signatures. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family H provides hashing with common-prefix proofs if for any H ∈ H, given two strings X and Y equal up to position i, a Combiner can convince a Verifier that X[1..i] is a prefix of Y by sending only H(X), H(Y ), and a small proof. We believe that this new primitive will lead to other interesting applications.
We propose a protocol to exchange Boneh-Boyen short signatures in a fair way and without relying on a trusted third party. Our protocol is quite practical and is the first of the sort to the best of our knowledge. Our construction uses a new non-interactive zero-knowledge (NIZK) argument to prove that a commitment is the encryption of a bit vector. We also design a NIZK argument to prove that a commitment to a bit vector v = (b1, b2, ..., bκ) is such that i∈[κ] bi2 i−1 = θ where θ is the discrete logarithm of some public value D = g θ . These arguments may be of independent interest.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.