Cryptography Reference
In-Depth Information
The downside is that fail-stop signatures are ineffective in preventing attacks
against the one-way hash function. And if Alice's private key is stolen, then
the catastrophe is preprogrammed, regardless of the protocol used, unless cryp-
tologists can find a trick to limit this damage, too.
6.6.6 One-Way Accumulators
A
one-way accumulator
is a protocol that allows Alice to prove to important
people that she is a member of a secret intelligence organization without having
to disclose its member list.
This is nothing new, you might think, there are IDs after all. In the digital
world, she only needs to show an appropriately signed document.
Unfortunately, no trustworthy authority willing to sign the electronic mem-
ber IDs was to be found. Or more likely, the members fear that a national
intelligence agency is trying to infiltrate members. Headquarters would notice
this, but the ordinary members don't carry lists around with them for security
reasons, so they cannot see whether or not an ID is forged (intelligence agen-
cies can forge). Nobody from within the organization is sufficiently immune to
extortion that his signature would be good for the member IDs.
Cryptology comes in handy here, too. A one-way accumulator can serve as
a one-way hash function defined for sequences of member names, and the
results are independent of the order computed. This means that they are similar
to a commutative sum. However, the function must not be reversible in the
cryptological sense: it should not be possible at an acceptable cost for a given
result,
R
, to construct two names that supply result
R
when using the one-way
accumulator. So calculating a sum is a poor example.
Benaloh and De Mare introduced better functions in 1994 [Benal.acc]. The
authors demonstrated a simple example based on the security of discrete loga-
rithms:
All members agree on a product,
m
, of two very large prime numbers and an
initial value of
x
0
. The one-way accumulator from the values
y
1
,...,yn
then
has the following value:
x
y1
+
...
yn
mod n
Every member obtains an identification sequence composed of his name and
a confidential character string. Alice learns the value
W
Alice
of the one-way
