Eecient Accumulators without Trapdoor Extended Abstract

In 1994 Benaloh and de Mare introduced the notion of one way accumulators that allow to construct eecient protocols for proving membership in a list and related problems like time stamping and authentication. As required by Benaloh et al. unlike in signature based protocols no central trusted authority is (should be) needed. Accumula-tor based protocols do further improve on hash tree based protocols for proving membership in a list as veriication and storage requirements are independent of the number of items in the list. Benaloh's et al. accumu-lator construction was based on exponentiation modulo a RSA modulus N = PQ. As already noted by Benaloh et al. the party (or parties) who generated the needed RSA modulus N during system set up knows a factorization of N. This knowledge allows this party to completely bypass the security of accumulator based protocols. For example a time stamping agency could forge time stamps for arbitrary documents. Thus these parties need to be trusted in (at least) two ways. First that they do not abuse their knowledge of the trapdoor and secondly to have had adequate security in place during system set up, which prevented outside attackers from getting hold of P and Q. In this paper we describe a way to construct (generalized) RSA moduli of factorization unknown to anybody. This yields (theoretically) eecient accumulators such that \nobody knows a trapdoor" and the two above mentioned trust requirements in the parties who set up the system can be removed.