RSA Accumulators in Cryptography

• RSA Accumulators are cryptographic primitives that condense sets into constant-size group elements, enabling efficient membership and non-membership proofs.
• They rely on the strong RSA assumption and are optimized through techniques like prefix-suffix products and precomputed trees for dynamic updates.
• RSA Accumulators are pivotal in applications such as certificate revocation, authenticated PKI, and blockchain state commitment due to their low communication overhead.

An RSA accumulator is a cryptographic primitive that compresses a set of values into a single constant-size group element, supporting efficient (non-)membership proofs with security rooted in the strong RSA assumption. The RSA accumulator is a principal example of asymmetric cryptographic accumulators and is widely deployed for privacy-preserving set-membership, verifiable data outsourcing, efficient certificate revocation, and blockchain state commitment. Its operation and performance have been formalized and optimized across several application domains (Cebe et al., 2019, Ozcelik et al., 2021, 0905.1307, B, 2020).

1. Mathematical Structure and Core Algorithms

Let $k$ be a security parameter (commonly $2048$ or $4096$). Initialization requires generating two strong primes $p,q$ and setting the RSA modulus $N=pq$. Let $\phi(N)=(p-1)(q-1)$ (which is kept secret). Select $g$ randomly from the group of quadratic residues $\mathrm{QR}_N$ or from $\mathbb{Z}_N^*$. The system’s public parameters are $(N, g)$, and optionally a hash-to-prime function $f$ for mapping arbitrary data to unique prime representatives.

Given a multiset $X = \{x_1, \ldots, x_n\}$, map each $x_i$ to a prime $e_i = f(x_i)$ and compute the accumulator value as

$A = g^{\prod_{i=1}^n e_i} \bmod N.$

This construction is quasi-commutative: the resulting $A$ is independent of the order of accumulation due to $g^{ab} = g^{ba}$ (Ozcelik et al., 2021).

• Membership Proof: To prove $x_i \in X$, provide $w_i = g^{\prod_{j \ne i} e_j} \bmod N$. Verification: $(w_i)^{e_i} \equiv A \pmod N$.
• Non-Membership Proof: To prove $y \notin X$, find integers $(a, b)$ such that $a e_y + b E = 1$ (via extended Euclidean algorithm with $E = \prod_{i=1}^n e_i$), and publish $(a, w = g^b \bmod N)$. Verification: $w^{e_y} \cdot A^a \equiv g \pmod N$ (Cebe et al., 2019, Ozcelik et al., 2021).

2. Security Properties and Assumptions

The RSA accumulator’s collision resistance is based on the strong RSA assumption: given $(N, g)$, it is infeasible to find $(h, e > 1)$ with $h^e \equiv g \pmod N$. A valid membership witness $w$ for $x \notin X$ would allow computation of an $e$-th root of $g^{E}$, where $e$ is the prime representative of $x$, violating strong RSA (Ozcelik et al., 2021).

Soundness is uniquely tied to the difficulty of extracting $\phi(N)$ or producing forged roots in $\mathbb{Z}_N^*$. Non-membership soundness requires the trapdoor $\phi(N)$; otherwise, non-membership proofs cannot be constructed, preventing adversarial removals (Cebe et al., 2019).

3. Efficient Update and Dynamic Operations

Adding an element $y$ (prime representative $e_y$) to the accumulated set: $A' = A^{e_y} \bmod N$. Deleting $y$ (requires knowledge of $\phi(N)$): $A' = A^{e_y^{-1} \bmod \phi(N)} \bmod N$. Witness updates propagate by raising previously computed witnesses to $e_y$ or $e_y^{-1}$ as appropriate. In trapdoorless (public) settings, deletions are not supported (Cebe et al., 2019, Ozcelik et al., 2021).

To accelerate membership proof computation in dynamic or large sets, several optimizations are deployed:

• Prefix-suffix products: Compute all witnesses with $O(n)$ multiplications and $n$ exponentiations (Cebe et al., 2019).
• Precomputed trees: Two-phase tree algorithms deliver $O(1)$ query time at the expense of $O(n)$ update at the source (0905.1307).
• Parameterization: Partition into $p$ blocks (e.g., $p\approx\sqrt{n}$), balancing source update and directory query time at $O(n/p)$ (0905.1307).
• Hierarchical accumulations: Multilevel partitions trade $O(n^\epsilon)$ performance for mixed workloads (0905.1307).

4. Complexity, Communication, and Storage

The accumulator, witnesses, and proofs remain constant size ($O(\lambda)$, with $\lambda=|N|$). Core complexities:

• Full accumulation: $O(n)$ prime multiplications, $O(1)$ exponentiation.
• Incremental add: $O(1)$ exponentiation.
• Witness generation: $O(n)$ (naive) or $O(1)$ (with precomputation or trapdoor).
• Verification: $O(1)$ exponentiations (Ozcelik et al., 2021, Cebe et al., 2019, 0905.1307).
• Non-membership proof: one extended GCD and $O(1)$ exponentiation.
• Communication: one group element (membership), one group element plus integer (non-membership), typically $2048$ or $4096$ bits per proof.

The following table summarizes asymptotic costs for key accumulator variants (0905.1307):

Scheme	Source Update	Directory Query	Proof Size	User Verify
Naive	$O(1)$/$O(n)$	$O(n)$	$O(1)$	$O(1)$
Precomputed	$O(n)$	$O(1)$	$O(1)$	$O(1)$
Parameterized	$O(p)$	$O(n/p)$	$O(1)$	$O(1)$
Hierarchical	$O(n^\epsilon)$	$O(n^\epsilon)$	$O(1)$	$O(1)$

5. Applications

RSA accumulators are applied in certificate revocation, verifiable set-membership in public key infrastructures, anonymous credentials, and consensus mechanisms in blockchains.

• Certificate Revocation: In AMI/IoT, accumulators compress thousands of revoked certificates into a single digest with per-device proofs. For $n=30\,000$ revoked certificates, full CRL storage is reduced from $\approx 0.69$ MB to $\approx 0.001$ MB, and distribution overheads shrink by two orders of magnitude at a cost of $9.8$ ms per modular check (Cebe et al., 2019).
• PKI Authenticated Dictionaries: Dynamic accumulators support time-stamped, efficiently verifiable online repositories with sublinear update and query costs (0905.1307).
• Blockchains: In securePrune, RSA accumulators succinctly commit to the UTXO set, supporting block pruning and rapid node bootstrapping. With $Δ_s=1000$, $k=500$, storage is capped at $400$ MiB (an $85\%$ reduction) and sync times decrease by $80\%$. Non-interactive PoE protocols embed accumulator transitions efficiently in block headers (B, 2020).

6. Construction Techniques and Parameter Choices

Prime-representative mapping (hash-to-prime) is pivotal for accumulator soundness. Generic mapping is achieved via

$x = 2^{256} \cdot H_2(\text{data}) + d,$

with $d$ minimal for $x$ to be prime (Cebe et al., 2019).

Modern deployments use $3072$- or $4096$-bit $N$ for $128$-bit classical security. Recommending prime representatives of at least $256$ bits mitigates divisor attacks (Ozcelik et al., 2021). The function $f$ is application-dependent and must be collision-resistant.

RSA accumulators are classified as:

• Public: no trapdoor; only additions, larger/less efficient witnesses.
• Private: trapdoor known; supports deletions, fast updates, but requires trust in manager.
• Universal: both membership and non-membership proofs (requires trapdoor) (Ozcelik et al., 2021).

7. Comparative Context and Limitations

Compared with Merkle trees (hash trees) and authenticated skip lists, RSA accumulators uniquely achieve $O(1)$-size proofs and $O(1)$ verification time, independent of $n$ (0905.1307). However, public (trapdoor-less) accumulators only support additions, whereas witness and deletion efficiency in fully dynamic settings require a trusted party holding $\phi(N)$, introducing potential vulnerabilities.

Efforts to obviate the need for private trapdoors continue, but as of these constructions, only trapdoor-based accumulators enable efficient membership and non-membership proofs for dynamic sets (Ozcelik et al., 2021).

• "Communication-efficient Certificate Revocation Management for Advanced Metering Infrastructure and IoT" (Cebe et al., 2019)
• "An Overview of Cryptographic Accumulators" (Ozcelik et al., 2021)
• "An Efficient Dynamic and Distributed RSA Accumulator" (0905.1307)
• "securePrune:Secure block pruning in UTXO based blockchains using Accumulators" (B, 2020)