One-way accumulators: a decentralized alternative to digital signatures
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Universal Accumulators with Efficient Nonmembership Proofs
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
APSCC '08 Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference
An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
Collision-free accumulators and fail-stop signature schemes without trees
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Public-key cryptosystems based on composite degree residuosity classes
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
A new dynamic accumulator for batch updates
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Hi-index | 0.00 |
A cryptographic accumulator is a scheme where a set of elements is represented by a single short value. This value, along with another value called witness, allows to prove membership into the set. If new values are added or existent values are deleted from the accumulator, then the accumulated value changes and the witnesses need to be updated. In their survey on accumulators [6], Fazio and Nicolosi noted that Camenisch and Lysyanskaya's construction [3] was such that the time to update a witness after m changes to the accumulated value was proportional to m. They posed the question whether batch update was possible, namely if a cryptographic accumulator where the time to update witnesses is independent from the number of changes in the accumulated set exists. Recently, Wang et al. answered positively by giving a construction for an accumulator with batch update [9,10]. In this work, we show that the construction is not secure by exhibiting an attack. Moreover, we prove it cannot be fixed. If the accumulated value has been updated m times then the time to update a witness must be at least Ω(m) in the worst case.