RSA Accumulator: Fundamentals & Applications
- RSA Accumulator is a cryptographic primitive that provides succinct set commitments by mapping elements to prime representatives and using exponentiation, ensuring constant-size membership proofs.
- It supports efficient dynamic updates with O(1) insertions and precomputed witness queries, though deletions may require full recomputation due to the absence of exponent inverses.
- Applications include authenticated dictionaries, certificate revocation, and blockchain state compression, delivering significant performance improvements and robust security under the strong RSA assumption.
An RSA accumulator is a cryptographic primitive that allows efficient, succinct representation of a set of elements so that cryptographically secure membership (and often non-membership) proofs can be generated and verified with constant-size witnesses and proofs. Founded on the hardness of the strong RSA assumption, RSA accumulators have found applications in areas such as dynamic authenticated dictionaries, certificate revocation in PKI, verifiable data structures, and authenticated state compression in blockchains (0905.1307, B, 2020, Cebe et al., 2019).
1. Theoretical Foundation and Structure
RSA accumulators operate in a hidden-order group, specifically the multiplicative group of quadratic residues modulo an RSA modulus , where and are strong primes. The public parameters include and a generator . For security, the strong RSA assumption is required: given and a random in , it is hard to find such that (0905.1307).
Each element 0 to be stored is mapped into a prime representative 1 using a two-universal hash function or a hash-and-prime search protocol. For a set 2 encoded as prime representatives 3, the accumulated value is defined as
4
thus succinctly committing to the entire set in a single group element (0905.1307, B, 2020, Cebe et al., 2019).
2. Membership and Non-membership Proofs
Membership Witnesses
To prove that 5, the witness 6 is computed as the accumulation over all elements except 7: 8 Verification then involves checking that 9. Under the strong RSA assumption, forgery is infeasible (0905.1307, B, 2020, Cebe et al., 2019).
Non-membership Proofs
For 0, certain constructions allow compact non-membership proofs. One method involves leveraging Bézout coefficients 1 for the equation 2, where 3. The non-membership proof is a pair 4, verified by checking that
5
This construction guarantees soundness under the strong RSA assumption and the use of prime-only group elements (Cebe et al., 2019).
3. Dynamic Accumulator Update Algorithms
Efficient support for dynamic set updates requires careful protocol engineering. The key algorithms are as follows:
- Insertion: Given a new element 6, update via exponentiation 7 (constant cost).
- Deletion: As inverses typically cannot be computed in exponent space without knowledge of 8, a full recomputation may be required: 9 (linear cost).
- Witness Precomputation: Precomputing all 0 witnesses reduces per-query cost to 1, at the expense of 2 source update time (0905.1307).
The following table summarizes complexity trade-offs for prominent dynamic accumulator update protocols:
| Scheme | Source Insert/Delete | Directory Query | User Verify |
|---|---|---|---|
| Straightforward | O(1)/O(n) | O(n) | O(1) |
| Precomputed Accumulations | O(n) | O(1) | O(1) |
| Parameterized/Hierarchical | O(n{c/(c+1)}) | O(n{c/(c+1)}) | O(1) |
Parameterizing or hierarchizing groupings allows trade-offs between source and directory work, achieving sublinear (e.g., 3) performance as required (0905.1307).
4. Applications and Protocol Integrations
Authenticated Dictionaries
RSA accumulators enable dynamic authenticated dictionaries where a trusted source maintains the set, untrusted directories answer queries, and lightweight users verify membership using constant-size proofs and one modular exponentiation (0905.1307).
Certificate Revocation
By representing certificate serial numbers as primes, and accumulating the revocation set, one can distribute a single accumulator 4 and associated member/non-member witnesses. In empirical tests, deploying accumulators for certificate revocation (rather than conventional CRLs or Bloom filters) reduced update and distribution times from tens of minutes to under a second in AMI/IoT testbeds, with per-meter storage falling to 768 bytes—even with 30,000 revoked certificates (Cebe et al., 2019).
Blockchain State Compression
In securePrune, the unspent transaction output set is committed to using an accumulator in each block header. Inclusion and deletion updates are attested by non-interactive proof-of-exponentiation (NI-PoE) arguments. Full nodes prune historic blocks after snapshot confirmation, reducing storage needs by 85%. Validator overhead increases by less than 0.4 seconds per block, with 1 KB extra communication per block (B, 2020).
5. Performance and Empirical Results
Representative measured performance from respective studies:
- Java Implementation (n up to 5): Insert or query costs could be tuned using hierarchy, with (6) partitioning empirically superior for source-directory workload balance (0905.1307).
- AMI Revocation (2048-bit N):
- Distribution time for accumulator and proofs: 70.6s–1.2s for 81–196 nodes, versus minutes–hours for CRLs (Cebe et al., 2019).
- Accumulate (30,000 entries): 80.36s (with 9 known), up to 36s without.
- Smart meter verification: ~10 ms per membership check.
- Blockchain UTXO Pruning:
- Miner computation (per block): 00.3s for batch update and proof.
- Verifier cost: 10.35s per block (100 tx), negligible relative to a 10-minute (600s) block interval.
- Storage reduced to 2400 MiB for a chain otherwise multiple gigabytes (B, 2020).
6. Security Properties
Security is grounded in the strong RSA assumption:
- No polynomial-time adversary can forge member or non-member witnesses for values not in the set, as this would require finding 3 for a random 4.
- Hash-to-prime mappings and (optionally) tweak primes guard against collisions and replay attacks (0905.1307, Cebe et al., 2019).
- Even with access to numerous valid witness/proof pairs, exponents and factorizations remain hidden due to the unknown group order.
Secret tweaks provide recovery and freshness if the accumulator manager is compromised, enabling rekeying in seconds at sub-kilobyte cost to all users (Cebe et al., 2019).
7. Summary and Research Trajectory
RSA accumulators provide size-oblivious, succinct cryptographic set commitments with optimal O(1)-size proofs and fast verification. Through architectural refinements—precomputed, parameterized, and hierarchical accumulations—practitioners can deploy flexible set membership solutions with tunable workloads across sources and directories. Empirical deployments demonstrate practical performance for PKI revocation, authenticated data publication, blockchain state pruning, and more. Open lines of research persist on optimizing dynamic updates, extending to privacy-preserving queries, and integrating with succinct zero-knowledge primitives (0905.1307, B, 2020, Cebe et al., 2019).