On the Impossibility of Batch Update for Cryptographic Accumulators

Author: Philippe Camacho, and A.H..


A cryptographic accumulator is a scheme where a set of elements is represented by a single short value. This va lue, along with another value called witness, allows to prove membership into the set. If new values are added or existent values are deleted from the accumulator, then the accumulated value changes and the witnesses need to be updated. In their survey on accumulators [FN02], Fazio and Nicolisi noted that Camenisch and Lysyanskaya's construction [CL02] was such that the time to update a witness after m changes to the accumulated value was proportional to $m$. They posed the question whether batch update was possible, namely if a cryptographic accumulator where the time to update witnesses is independent from the number of changes in the accumulated set exists. Recently, Wang et al. answered positively by giving a construction for an accumulator with \emph{batch update} in [WWP08,WWP08a]. In this work, we show that the construction is not secure by exhibiting an attack. Moreover, we prove it cannot be fixed. If the accumulated value has been updated $m$ times then the time to update a witness must be at least $\Omega(m)$ in the worst case.

Ref: In Progress in Cryptology - LATINCRYPT 2010, First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, August 8-11, 2010, Proceedings. Lecture Notes in Computer Science 6212, pages 178-188, Springer, 2010.

Revised paper: Available as PDF.