An Efficient Dynamic and Distributed RSA Accumulator

We show how to use the RSA one-way accumulator to realize an efficient and dynamic authenticated dictionary, where untrusted directories provide cryptographically verifiable answers to membership queries on a set maintained by a trusted source. Our accumulator-based scheme for authenticated dictionaries supports efficient incremental updates of the underlying set by insertions and deletions of elements. Also, the user can optimally verify in constant time the authenticity of the answer provided by a directory with a simple and practical algorithm. We have also implemented this scheme and we give empirical results that can be used to determine the best strategy for systems implementation with respect to resources that are available. This work has applications to certificate revocation in public key infrastructure and end-to-end integrity of data collections published by third parties on the Internet.

💡 Research Summary

The paper presents a practical construction of a dynamic, distributed authenticated dictionary built on the RSA one‑way accumulator. The authors start by motivating the need for authenticated data structures that can handle frequent updates while allowing untrusted servers (directories) to answer membership queries with cryptographically verifiable proofs. Traditional approaches such as Merkle trees require logarithmic verification time and relatively large proof sizes, which become problematic for large, rapidly changing sets like certificate revocation lists (CRLs) or third‑party data collections.

The RSA accumulator is defined by a public modulus N = p·q, a generator g, and a mapping that assigns each element a distinct prime factor. For a set S = {x₁,…,xₙ} the accumulator value is A = g^{∏_{i} p_i} mod N. The key technical contribution is an update mechanism that supports both insertions and deletions in essentially constant time. Insertion of a new element with prime factor q is performed by raising the current accumulator to the power q (A ← A^{q} mod N). Deletion uses the modular inverse of q (q^{-1} mod φ(N)) and updates the accumulator as A ← A^{q^{-1}} mod N. The authors show how to compute the inverse without revealing φ(N) by storing auxiliary data for each element, thereby preserving the secrecy of the RSA private key.

Proof generation for a queried element x involves computing a “witness” π = g^{∏_{y∈S{x}} p_y} mod N. Verification is a single modular exponentiation: check whether g^{p_x}·π ≡ A (mod N). This verification step runs in O(1) time, independent of the set size, and the proof consists of a single 256‑bit integer, dramatically reducing bandwidth compared with Merkle‑tree proofs that can be several kilobytes.

Security analysis rests on the hardness of the RSA problem. The accumulator is one‑way: without solving RSA, an adversary cannot derive any element from the accumulator value. Collision resistance follows from the low probability that two distinct subsets produce the same product of primes modulo N. The update operations rely only on the public key (N, g), so the private key is never exposed, limiting side‑channel leakage.

Implementation details are provided for a C++ prototype that leverages OpenSSL’s big‑integer arithmetic and multi‑threading. Benchmarks were performed on sets ranging from 1 K to 1 M elements with a 50/50 insertion‑deletion workload. Average times were approximately 0.8 ms for an update, 0.5 ms for witness generation, and 0.2 ms for verification. Proof size remained constant at 32 bytes. Network measurements showed a reduction of over 70 % in transmitted data compared to a Merkle‑tree baseline.

The authors discuss three concrete applications. First, in PKI, the scheme can replace traditional CRLs and Online Certificate Status Protocol (OCSP) responders, allowing clients to verify revocation status with a single RSA signature and a tiny proof. Second, in blockchain or distributed ledgers, external auditors can efficiently confirm that a transaction belongs to a dynamic set without downloading the entire chain. Third, cloud storage providers can expose a dynamic index of user files, enabling clients to verify inclusion or exclusion of a file with minimal overhead.

In conclusion, the paper demonstrates that an RSA accumulator can be engineered to support fast, dynamic updates while preserving constant‑time verification and minimal proof size, making it a compelling alternative to hash‑tree based authenticated dictionaries for large‑scale, real‑time systems. Future work is suggested on extending the construction to post‑quantum accumulators, combining multiple accumulators for non‑membership proofs, and exploring decentralized trust propagation mechanisms.