Cryptographic Accumulators for Authenticated Hash Tables

Hash tables are fundamental data structures that optimally answer membership queries. Suppose a client stores n elements in a hash table that is outsourced at a remote server. Authenticating the hash table functionality, i.e., verifying the correctness of queries answered by the server and ensuring the integrity of the stored data, is crucial because the server, lying outside the administrative control of the client, can be malicious. We design efficient and secure protocols for optimally authenticating (non-)membership queries on hash tables, using cryptographic accumulators as our basic security primitive and applying them in a novel hierarchical way over the stored data. We provide the first construction for authenticating a hash table with constant query cost and sublinear update cost, strictly improving upon previous methods. Our first solution, based on the RSA accumulator, allows the server to provide a proof of integrity of the answer to a membership query in constant time and supports updates in O (nǫ log n) time for any fixed constant 0 < ǫ < 1, yet keeping the communication and verification costs constant. It also lends itself to a scheme that achieves different trade-offs—namely, constant update time and O(nǫ) query time. Our second solution uses an accumulator that is based on bilinear pairings to achieve O(nǫ) update time at the server while keeping all other complexities constant. Both schemes apply to two concrete data authentication models and an experimental evaluation shows good scalability. A preliminary version of this work was presented at the 15th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, 2008. Department of Computer Science, Brown University. Email: [email protected]. Department of Computer Science, Brown University. Email: [email protected]. Department of Computer Science, Boston University and Department of Computer Science, Brown University. Email: [email protected]. Research performed primarily while the author was with the Department of Computer Science at Aarhus University, Denmark.