Hi Adam, Matthew!
Thanks for the reply.
So, basically, the main obstacle to practical implementation would be
constructing efficient ZKPs with the Lipmaa accumulator, while from a
theoretic standpoint there is also the issue that the scheme being
used is somewhat exotic and needs more academic scrutiny . Got that.
Thank you for explaining!
P.S.: upon re-reading the zerocoin paper, I've come up with another
(hopefully, silly) accumulator question, but I'll post it as a
separate newsletter submission so as to keep questions separate.
Warm regards,
Jane
.
> Hi Adam, Jane,
>
> I'm not as familiar with Lipmaa's construction as I am with the RSA-based and
> bilinear accumulators. However, I note that Lipmaa's proposals rely on strong
> (or at least, new) hardness assumptions in class groups of imaginary quadratic
> order. Lipmaa points out the need for further study of these assumptions at
> the
> end of his paper.
>
>
> A more serious issue is that we also require an efficient zero-knowledge (ZK)
> proof that a value has been accumulated. Our Zerocoin construction uses a very
> efficient protocol due to Camenisch and Lysyanskaya, and equivalent protocols
> also exist for the bilinear-based accumulators. Lipmaa's proposal uses class
> groups, and I just don't know what the ZK proof would look like in that
> setting, or if it would be practical enough for real use. In fact, I'm not
> entirely sure how efficient the accumulator itself is, since this is not an
> area I work in.
>
> We're definitely interested in alternative constructions, both to get rid of
> trusted setup and to make the protocols more efficient. If Lipmaa's
> accumulator
> fit the bill, we'd be interested in using it. However, I would need to know a
> lot more (and there would need to be further research done) before I'd feel
> confident deploying it in practice.
>
> Matt
>
> On May 5, 2013, at 6:58 AM, Adam Back <[email protected]> wrote:
>
>> This below post didnt elicit any response, but the poster references an
>> interesting though novel (and therefore possibly risky) alternative
>> accumulator without the need for a centrally trusted RSA key generator
>> (which is an anathema to a distributed trust system), or alternatively
>> zero-trust but very inefficient RSA UFO mentioned in Green's paper. Lipmaa
>> is a well known researcher, and Limpaa's proposed novel accumulator scheme
>> does appear to offer a simultaneously efficient and zero trust alternative
>> to the optimized Benaloh accumulator zerocoin, like Sander and Ta-Shma's
>> auditable ecash that it is based on.
>>
>> ps I notice the Matthew Green's address was misttyped by the parent poster,
>> so I have fixed that.
>>
>> Adam
>>
>> Sat, Apr 27, 2013 at 05:25:02PM +0400
>> [...]
>>
>> I have recently read the Zerocoin paper which describes a very
>> interesting enhanced anonymity solution for bitcoin-like "blockchain
>> based" cryptocurrencies ( those unfamiliar can check it out here
>> http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf )
>>
>> The paper specifically states that "While we were not able to find an
>> analogue of our scheme using alternative components, it is possible
>> that further research will lead to other solutions. Ideally such an
>> improvement could produce a drop-in replacement for our existing
>> implementation"
>>
>> However, I've come across an alternative cryptographic accumulator
>> that does not require trusted setup, the Lipmaa Euclidean Rings based
>> design. ( http://www.cs.ut.ee/~lipmaa/papers/lip12b/cl-accum.pdf )
>> From my superficial assessment, it appears fitting for a zerocoin like
>> design, but I find it quite likely that I am missing the obvious.
>>
>> The question thus is: what exactly prevents Lipmaa accumulator from
>> being used as aforementioned drop-in replacement ?
>>
>> Thank you very much in advance.On Sat, Apr 27, 2013 at 5:25 PM, Jane
>> <[email protected]> wrote:
> Good afternoon mailing list subscribers!
> Good afternoon Mr. Green!
>
> First, I'd like to ask pardon if my question is not particularly
> bright - I am not a professional cryptographer, so I might be missing
> something very obvious.
>
> I have recently read the Zerocoin paper which describes a very
> interesting enhanced anonymity solution for bitcoin-like "blockchain
> based" cryptocurrencies ( those unfamiliar can check it out here
> http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf )
>
> The paper specifically states that "While we were not able to find an
> analogue of our scheme using alternative components, it is possible
> that further research will lead to other solutions. Ideally such an
> improvement could produce a drop-in replacement for our existing
> implementation"
>
> However, I've come across an alternative cryptographic accumulator
> that does not require trusted setup, the Lipmaa Euclidean Rings based
> design. ( http://www.cs.ut.ee/~lipmaa/papers/lip12b/cl-accum.pdf )
> From my superficial assessment, it appears fitting for a zerocoin like
> design, but I find it quite likely that I am missing the obvious.
>
> The question thus is: what exactly prevents Lipmaa accumulator from
> being used as aforementioned drop-in replacement ?
>
> Thank you very much in advance.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
