1 research outputs found
Cryptanalysis of Au et al. Dynamic Universal Accumulator
In this paper we cryptanalyse the two accumulator variants proposed by Au et al., namely the -based construction and the reference string-based (-based) construction.
We show that if non-membership witnesses are issued according to the -based construction, colluding users can efficiently discover the secret accumulator parameter and takeover the Accumulator Manager. More precisely, if is the order of the underlying bilinear group, the knowledge of non-membership witnesses permits to successfully recover . Further optimizations and different attack scenarios allow to reduce the number of required witnesses to , together with practical attack complexity. Moreover, we show that accumulator collision resistance can be broken if just one of these non-membership witnesses is known to the attacker.
In the case when non-membership witnesses are issued using the -based construction (with kept secret by the Manager), we show that a group of colluding users can reconstruct the
and compute witnesses for arbitrary new elements. In particular, if the accumulator is initialized by adding secret elements, colluding users that share their non-membership witnesses will succeed in such attack