Papers
Topics
Authors
Recent
Search
2000 character limit reached

RSA Accumulator: Fundamentals & Applications

Updated 4 April 2026
  • RSA Accumulator is a cryptographic primitive that provides succinct set commitments by mapping elements to prime representatives and using exponentiation, ensuring constant-size membership proofs.
  • It supports efficient dynamic updates with O(1) insertions and precomputed witness queries, though deletions may require full recomputation due to the absence of exponent inverses.
  • Applications include authenticated dictionaries, certificate revocation, and blockchain state compression, delivering significant performance improvements and robust security under the strong RSA assumption.

An RSA accumulator is a cryptographic primitive that allows efficient, succinct representation of a set of elements so that cryptographically secure membership (and often non-membership) proofs can be generated and verified with constant-size witnesses and proofs. Founded on the hardness of the strong RSA assumption, RSA accumulators have found applications in areas such as dynamic authenticated dictionaries, certificate revocation in PKI, verifiable data structures, and authenticated state compression in blockchains (0905.1307, B, 2020, Cebe et al., 2019).

1. Theoretical Foundation and Structure

RSA accumulators operate in a hidden-order group, specifically the multiplicative group of quadratic residues modulo an RSA modulus N=PQN = PQ, where PP and QQ are strong primes. The public parameters include NN and a generator a∈ZN∗a \in \mathbb{Z}^*_N. For security, the strong RSA assumption is required: given NN and a random xx in ZN∗\mathbb{Z}^*_N, it is hard to find (a,f≥2)(a, f \geq 2) such that af≡x(modN)a^f \equiv x \pmod{N} (0905.1307).

Each element PP0 to be stored is mapped into a prime representative PP1 using a two-universal hash function or a hash-and-prime search protocol. For a set PP2 encoded as prime representatives PP3, the accumulated value is defined as

PP4

thus succinctly committing to the entire set in a single group element (0905.1307, B, 2020, Cebe et al., 2019).

2. Membership and Non-membership Proofs

Membership Witnesses

To prove that PP5, the witness PP6 is computed as the accumulation over all elements except PP7: PP8 Verification then involves checking that PP9. Under the strong RSA assumption, forgery is infeasible (0905.1307, B, 2020, Cebe et al., 2019).

Non-membership Proofs

For QQ0, certain constructions allow compact non-membership proofs. One method involves leveraging Bézout coefficients QQ1 for the equation QQ2, where QQ3. The non-membership proof is a pair QQ4, verified by checking that

QQ5

This construction guarantees soundness under the strong RSA assumption and the use of prime-only group elements (Cebe et al., 2019).

3. Dynamic Accumulator Update Algorithms

Efficient support for dynamic set updates requires careful protocol engineering. The key algorithms are as follows:

  • Insertion: Given a new element QQ6, update via exponentiation QQ7 (constant cost).
  • Deletion: As inverses typically cannot be computed in exponent space without knowledge of QQ8, a full recomputation may be required: QQ9 (linear cost).
  • Witness Precomputation: Precomputing all NN0 witnesses reduces per-query cost to NN1, at the expense of NN2 source update time (0905.1307).

The following table summarizes complexity trade-offs for prominent dynamic accumulator update protocols:

Scheme Source Insert/Delete Directory Query User Verify
Straightforward O(1)/O(n) O(n) O(1)
Precomputed Accumulations O(n) O(1) O(1)
Parameterized/Hierarchical O(n{c/(c+1)}) O(n{c/(c+1)}) O(1)

Parameterizing or hierarchizing groupings allows trade-offs between source and directory work, achieving sublinear (e.g., NN3) performance as required (0905.1307).

4. Applications and Protocol Integrations

Authenticated Dictionaries

RSA accumulators enable dynamic authenticated dictionaries where a trusted source maintains the set, untrusted directories answer queries, and lightweight users verify membership using constant-size proofs and one modular exponentiation (0905.1307).

Certificate Revocation

By representing certificate serial numbers as primes, and accumulating the revocation set, one can distribute a single accumulator NN4 and associated member/non-member witnesses. In empirical tests, deploying accumulators for certificate revocation (rather than conventional CRLs or Bloom filters) reduced update and distribution times from tens of minutes to under a second in AMI/IoT testbeds, with per-meter storage falling to 768 bytes—even with 30,000 revoked certificates (Cebe et al., 2019).

Blockchain State Compression

In securePrune, the unspent transaction output set is committed to using an accumulator in each block header. Inclusion and deletion updates are attested by non-interactive proof-of-exponentiation (NI-PoE) arguments. Full nodes prune historic blocks after snapshot confirmation, reducing storage needs by 85%. Validator overhead increases by less than 0.4 seconds per block, with 1 KB extra communication per block (B, 2020).

5. Performance and Empirical Results

Representative measured performance from respective studies:

  • Java Implementation (n up to NN5): Insert or query costs could be tuned using hierarchy, with (NN6) partitioning empirically superior for source-directory workload balance (0905.1307).
  • AMI Revocation (2048-bit N):
    • Distribution time for accumulator and proofs: NN70.6s–1.2s for 81–196 nodes, versus minutes–hours for CRLs (Cebe et al., 2019).
    • Accumulate (30,000 entries): NN80.36s (with NN9 known), up to 36s without.
    • Smart meter verification: ~10 ms per membership check.
  • Blockchain UTXO Pruning:
    • Miner computation (per block): a∈ZN∗a \in \mathbb{Z}^*_N00.3s for batch update and proof.
    • Verifier cost: a∈ZN∗a \in \mathbb{Z}^*_N10.35s per block (100 tx), negligible relative to a 10-minute (600s) block interval.
    • Storage reduced to a∈ZN∗a \in \mathbb{Z}^*_N2400 MiB for a chain otherwise multiple gigabytes (B, 2020).

6. Security Properties

Security is grounded in the strong RSA assumption:

  • No polynomial-time adversary can forge member or non-member witnesses for values not in the set, as this would require finding a∈ZN∗a \in \mathbb{Z}^*_N3 for a random a∈ZN∗a \in \mathbb{Z}^*_N4.
  • Hash-to-prime mappings and (optionally) tweak primes guard against collisions and replay attacks (0905.1307, Cebe et al., 2019).
  • Even with access to numerous valid witness/proof pairs, exponents and factorizations remain hidden due to the unknown group order.

Secret tweaks provide recovery and freshness if the accumulator manager is compromised, enabling rekeying in seconds at sub-kilobyte cost to all users (Cebe et al., 2019).

7. Summary and Research Trajectory

RSA accumulators provide size-oblivious, succinct cryptographic set commitments with optimal O(1)-size proofs and fast verification. Through architectural refinements—precomputed, parameterized, and hierarchical accumulations—practitioners can deploy flexible set membership solutions with tunable workloads across sources and directories. Empirical deployments demonstrate practical performance for PKI revocation, authenticated data publication, blockchain state pruning, and more. Open lines of research persist on optimizing dynamic updates, extending to privacy-preserving queries, and integrating with succinct zero-knowledge primitives (0905.1307, B, 2020, Cebe et al., 2019).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to RSA Accumulator.