Hi Adam, Jane, I'm not as familiar with Lipmaa's construction as I am with the RSA-based and bilinear accumulators. However, I note that Lipmaa's proposals rely on strong (or at least, new) hardness assumptions in class groups of imaginary quadratic order. Lipmaa points out the need for further study of these assumptions at the end of his paper.
A more serious issue is that we also require an efficient zero-knowledge (ZK) proof that a value has been accumulated. Our Zerocoin construction uses a very efficient protocol due to Camenisch and Lysyanskaya, and equivalent protocols also exist for the bilinear-based accumulators. Lipmaa's proposal uses class groups, and I just don't know what the ZK proof would look like in that setting, or if it would be practical enough for real use. In fact, I'm not entirely sure how efficient the accumulator itself is, since this is not an area I work in. We're definitely interested in alternative constructions, both to get rid of trusted setup and to make the protocols more efficient. If Lipmaa's accumulator fit the bill, we'd be interested in using it. However, I would need to know a lot more (and there would need to be further research done) before I'd feel confident deploying it in practice. Matt On May 5, 2013, at 6:58 AM, Adam Back <[email protected]> wrote: > This below post didnt elicit any response, but the poster references an > interesting though novel (and therefore possibly risky) alternative > accumulator without the need for a centrally trusted RSA key generator > (which is an anathema to a distributed trust system), or alternatively > zero-trust but very inefficient RSA UFO mentioned in Green's paper. Lipmaa > is a well known researcher, and Limpaa's proposed novel accumulator scheme > does appear to offer a simultaneously efficient and zero trust alternative > to the optimized Benaloh accumulator zerocoin, like Sander and Ta-Shma's > auditable ecash that it is based on. > > ps I notice the Matthew Green's address was misttyped by the parent poster, > so I have fixed that. > > Adam > > Sat, Apr 27, 2013 at 05:25:02PM +0400 >> [...] >> >> I have recently read the Zerocoin paper which describes a very >> interesting enhanced anonymity solution for bitcoin-like "blockchain >> based" cryptocurrencies ( those unfamiliar can check it out here >> http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf ) >> >> The paper specifically states that "While we were not able to find an >> analogue of our scheme using alternative components, it is possible >> that further research will lead to other solutions. Ideally such an >> improvement could produce a drop-in replacement for our existing >> implementation" >> >> However, I've come across an alternative cryptographic accumulator >> that does not require trusted setup, the Lipmaa Euclidean Rings based >> design. ( http://www.cs.ut.ee/~lipmaa/papers/lip12b/cl-accum.pdf ) >> From my superficial assessment, it appears fitting for a zerocoin like >> design, but I find it quite likely that I am missing the obvious. >> >> The question thus is: what exactly prevents Lipmaa accumulator from >> being used as aforementioned drop-in replacement ? >> >> Thank you very much in advance. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
