Efficient Accumulators without Trapdoor Extended Abstract

In 1994 Benaloh and de Mare introduced the notion of one way accumulators that allow to construct efficient protocols for proving membership in a list and related problems like time stamping and authentication. As required by Benaloh et al. unlike in signature based protocols no central trusted authority is (should be) needed. Accumulator based protocols do further improve on hash tree based protocols for proving membership in a list as verification and storage requirements are independent of the number of items in the list. Benaloh’s et al. accumulator construction was based on exponentiation modulo a RSA modulus N=PQ. As already noted by Benaloh et al. the party (or parties) who generated the needed RSA modulus N during system set up knows a factorization of N. This knowledge allows this party to completely bypass the security of accumulator based protocols. For example a time stamping agency could forge time stamps for arbitrary documents. Thus these parties need to be trusted in (at least) two ways. First that they do not abuse their knowledge of the trapdoor and secondly to have had adequate security in place during system set up, which prevented outside attackers from getting hold of P and Q. In this paper we describe a way to construct (generalized) RSA moduli of factorization unknown to anybody. This yields (theoretically) efficient accumulators such that “nobody knows a trapdoor” and the two above mentioned trust requirements in the parties who set up the system can be removed.