VULNERABILITY OF A NON-MEMBERSHIP PROOF SCHEME
Kun Peng and Feng Bao
Institute for Infocomm Research, Connexis, Singapore
Keywords:
Attack, Non-membership proof.
Abstract:
An accumulator system used for a special application of anonymous credential is extended by Li et al to a much
wider range of applications: membership proof and non-membership proof. Given a committed secret integer
and a public finite set of prime integers, two proof protocols, membership proof and non-membership proof
are proposed in the extended scheme. The former proves that the integer is in the set when it is really in, while
the latter proves that the integer is not in the set when it is really not in. Although the original accumulator
technique works well in its appointed special application, the extension is insecure and vulnerable to attacks.
Several attacks against membership proof and non-membership proof in the extended work is proposed in this
paper to show its vulnerability in security. The attacks show that an attacker can employ various methods to
give membership proof to an integer not in the set and non-membership proof to an integer in the set.
1 INTRODUCTION
An accumulator system is designed in (Camenisch
and Lysyanskaya, 2002) for application to anonymous
credential. The original design is very efficient and
achieves provable security in its special application.
In (Li et al., 2007), the technique in (Camenisch and
Lysyanskaya, 2002) is generalized and extended to
solve a much more general question: membership
proof and non-membership proof. Membership proof
proves a secret committed integer is in a finite set,
while non-membership proof proves a secret commit-
ted integer is not in a finite set. These two proofs
havea much wider range of applications than the orig-
inal special accumulator system in (Camenisch and
Lysyanskaya, 2002) and are frequently used in vari-
ous cryptographic applications.
In (Li et al., 2007) an accumulator is generated
for the set, which stands for the integers in the set in
a more brief form. For any integer in the set, a mem-
bership witness is generated, which can show mem-
bership of the integer when checked against the ac-
cumulator. When proving membership of an integer,
a prover only needs to show knowledge of the mem-
bership witness in a zero knowledge proof. For any
integer not in the set, a non-membership witness is
generated, which can show non-membership of the
integer when checked against the accumulator. When
proving non-membership of an integer, a prover only
needs to show knowledgeof the non-membership wit-
ness in a zero knowledge proof.
As the original accumulator system (Camenisch
and Lysyanskaya, 2002) works in a special applica-
tion with strict limitations on parameter setting, par-
ticipants’ roles and application environment, the sim-
ple extension (Li et al., 2007) is too wide and not
secure. In this paper, the extended work is demon-
strated to be vulnerable to attacks against its sound-
ness, where soundness of membership proof and non-
membership proof are defined as follows.
Definition 1. (Soundness of membership proof). If a
committed integer is not in the set, the probability that
the prover can pass the verification in the membership
proof protocol is negligible.
Definition 2. (Soundness of non-membership proof).
If a committed integer is in the set, the probability
that the prover can pass the verification in the non-
membership proof protocol is negligible.
In this paper, firstly an attacking algorithm is pro-
posed to employ Euclidean algorithm and the Chi-
nese remainder theorem to extract a secret parame-
ter called φ(n) in (Li et al., 2007). Then four attacks
are designed, two to compromise soundness of mem-
bership proof in (Li et al., 2007) and two to compro-
mise soundness of non-membership proof in (Li et al.,
2007). The attacks show that even if a prover com-
mits to an integer not in the set, he can still pass the
membership proof with a non-negligible probability.
Moreover, using the attacks, even if a prover com-
419
Peng K. and Bao F. (2010).
VULNERABILITY OF A NON-MEMBERSHIP PROOF SCHEME.
In Proceedings of the International Conference on Security and Cryptography, pages 419-422
DOI: 10.5220/0002912904190422
Copyright
c
SciTePress
mits to an integer in the set, he can still pass the non-
membership proof with a non-negligible probability.
It is demonstrated that membership proof and non-
membership proof in (Li et al., 2007) are vulnerable
to even more attacks. The main reason for vulnera-
bility of the membership proof and non-membership
proof in (Li et al., 2007) is that it bases a general and
wide-range solution on a very special and strictly lim-
ited technique. Actually the technique in (Camenisch
and Lysyanskaya, 2002) is not suitable for the gen-
eral applications in (Li et al., 2007). The author of
(Camenisch and Lysyanskaya, 2002) suggests that in
general membership proof, the general-purpose tech-
nique in (Camenisch et al., 2008) should be used.
2 THE NON-MEMBERSHIP
PROOF SCHEME IN (Li et al.,
2007)
In (Li et al., 2007), a non-membership proof scheme
is proposed, which shows non-membership of an in-
teger using its non-membership witness. As we state
before, besides non-membership witness it provides
membership witness, so supports membership proof
as well. Its design includes generation and update
of accumulator, generation and update of member-
ship witnesses and non-membership witnesses and
the proof protocols to use them. Firstly, the impor-
tant symbols used in (Li et al., 2007) are as follows.
• k is a system parameter and n is a composite of
length k. n = pq, p = 2p
′
+ 1, q = 2q
′
+ 1, p and
q have equal length and p,q, p
′
,q
′
are all prime
integers.
• Set G
f
contains all the quadratic residues in Z
n
.
Integers g and h are in G
f
such that log
g
h is
unknown to any prover to carry out membership
proof or non-membership proof.
• X
k
denotes all the primes in Z
2
l
where l = ⌊k/2⌋−
2.
• The set X regarding which membership proof and
non-membership proof are performed may be any
subset of X
k
. Namely, X = {x
1
,x
2
,...,x
m
} where
x
i
∈ X
k
for i = 1,2,...,m and m is no more than
the cardinality of X
k
.
• n
1
is a special RSA modulus of length k
1
.
• h
1
is a random value in QR
n
1
, the subset contain-
ing all the quadratic residues in Z
n
1
. g
1
is a ran-
dom value in the group generated by h
1
.
• A secret integer s is committed in c
1
= g
s
1
h
r
1
mod
n
1
where r is randomly chosen form Z
n
1
.
For each integer x ∈ X, there is a membership wit-
ness c
x
such that c
x
x
= c mod n where c is a public in-
teger called the accumulator value in (Camenisch and
Lysyanskaya, 2002). To prove that the integer com-
mitted in c
1
is in X, a prover has to prove knowledge
of secret integers x, r and c
x
such that
c
1
= g
x
1
h
r
1
mod n
1
(1)
c
x
x
= c mod n (2)
x ∈ Z
2
l
(3)
The accumulator value c is equal to g
∏
m
i=1
x
i
mod n,
which is public information once X is published. Dif-
ferent parties may have different methods to calculate
c
x
, which should be equal to g
∏
x
i
6=x
1≤i≤m
x
i
mod n. For
example, once X is published, a prover can calculate
c
x
= g
∏
x
i
6=x
1≤i≤m
x
i
mod n.
For each integer x /∈ X but in X
k
, there is a non-
membership witness (a, d) such that c
a
= d
x
g mod n.
To prove that the integer committed in c
1
is not in X,
a prover has to prove knowledge of secret integers x,
r, a and d such that
c
1
= g
x
1
h
r
1
mod n
1
(4)
c
a
= d
x
g mod n (5)
x ∈ Z
2
l
(6)
a ∈ Z
2
l
(7)
The method to generate a and d for x in (Li et al.,
2007) is as follows where u
′
= u mod φ(n) and u =
∏
m
i=1
x
i
.
• If gcd(x,u
′
) = 1, integers a and b are calculated
such that au
′
+ bx = 1, and d = g
−b
mod n.
• If gcd(x,u
′
) 6= 1, integers a and b are calculated
such that au+ bx = 1. Then b
′
= b mod φ(n) and
d = g
−b
′
mod n.
3 ATTACKS TO COMPROMISE
SOUNDNESS OF MEMBERSHIP
PROOF AND
NON-MEMBERSHIP PROOF
Firstly, an attacking algorithm is proposed to extract
a multiple of φ(n). Then Four attacks are designed
to compromise soundness of membership proof and
non-membership proof in (Li et al., 2007). Finally,
less important attacks easier to preventare mentioned.
3.1 An Attacking Algorithm
With a non-negligible probability, an attacker can cal-
culate a multiple of φ(n) in polynomial time using
SECRYPT 2010 - International Conference on Security and Cryptography
420
some non-membership witnesses. Firstly, using the
following attacking algorithm, the attacker can cal-
culate the remainder of n modulo an integer when
gcd(x,u
′
) = 1.
1. If gcd(x,u
′
) = 1, the non-membership witness for
x is a and d such that
au
′
+ bx = 1 (8)
and d = g
−b
mod n.
2. Obviously, gcd(a,x) = 1, otherwise au
′
+ bx can-
not be 1 but will be a multiple of gcd(a,x). So
using Euclidean algorithm, the attack can calcu-
late in polynomial time integers µ and β such that
aµ+ βx = 1. (9)
3. (8)-(9) yields
a(u
′
− µ) = x(β − b)
As gcd(a,x) = 1, x must be a factor of u
′
− µ.
Namely
u
′
= µ mod x
The attacking algorithm shows that although b
is not revealed in the non-membership witness Eu-
clidean algorithm can be employed to calculate
u
′
mod x from a and x. Repeating the attacking algo-
rithm using multiple different instances of x in X
k
such
that the product of the multiple instances of x is larger
than φ(n), the attacker can calculate u
′
in polynomial
time using the Chinese remainder theorem. Note that
u
′
= u mod φ(n). So the prover obtains a multiple of
φ(n) using polynomial calculation: u − u
′
. As n is a
composite of length k, X
k
denotes all the primes in Z
2
l
where l = ⌊k/2⌋ − 2 and x,x
1
,x
2
,...,x
m
are chosen
from X
k
, with a non-negligible probability
• u > φ(n) and thus u− u
′
6= 0;
• the product of a small number of integers in X
k
is larger than φ(n) and thus a small number of
non-membership witnesses are enough to apply
the Chinese remainder theorem.
So, the an attacker can obtain a multiple of φ(n) in
the from u − u
′
using polynomial calculation with a
non-negligible probability.
3.2 Four Concrete Attacks
With knowledge of a multiple of φ(n), various attacks
can be launched. For example, a prover can commit to
an integer not in X in c
′
but still pass the membership
proof as follows.
Algorithm 1. The first attack against membership
proof.
1. The prover commits to x = u−u
′
+x
I
in g
x
1
h
r
1
mod
n
1
where 1 ≤ I ≤ m and r is randomly chosen from
Z
n
1
.
2. The prover calculates c
x
= g
∏
I−1
i=1
x
i
∏
m
i=I+1
x
i
mod n.
3. The prover proves his knowledge of x, r and c
x
to satisfy (1), (2) and (3). As the order of G
f
is
φ(n)/4, u− u
′
is a multiple of the order of g. So
c
x
x
= (g
∏
I−1
i=1
x
i
∏
m
i=I+1
x
i
)
u−u
′
+x
I
= g
(
∏
I−1
i=1
x
i
)(u−u
′
+x
I
)
∏
m
i=I+1
x
i
= g
(
∏
I−1
i=1
x
i
)x
I
∏
m
i=I+1
x
i
= g
∏
m
i=1
x
i
= c mod n.
Therefore, the prover can successfully prove
knowledge of secret integers x = u−u
′
+ x
I
, r and
c
x
such that
c
1
= g
x
1
h
r
1
mod n
1
c
x
x
= c mod n.
As the probability that x ∈ Z
2
l
is non-negligible
in the given parameter setting, especially when x
I
is the smallest integer in X, the probability that
this attack can satisfy (1), (2) and (3) is non-
negligible.
As u − u
′
is not a multiple of the order of g
1
,
u − u
′
+ x
I
and x
I
are completely different messages
in the commitment algorithm, and so soundness of
membership proof in (Li et al., 2007) is compromised.
Similarly, a prover can commit to an integer chosen
from X in c
′
but still pass the non-membership proof
as follows.
Algorithm 2. The first attack against non-
membership proof.
1. The prover commits to x
I
in g
x
1
h
r
1
mod n
1
where
1 ≤ I ≤ m and r is randomly chosen form Z
n
1
.
2. The prover employs Euclidean algorithm to cal-
culate integers a and b such that
a(
∏
I−1
i=1
x
i
)(u− u
′
+ x
I
)
∏
m
i=I+1
x
i
+ bx = 1.
As
gcd(x,(
∏
I−1
i=1
x
i
)(u− u
′
+ x
I
)
∏
m
i=I+1
x
i
)
= gcd(x
I
,(
∏
I−1
i=1
x
i
)(u− u
′
+ x
I
)
∏
m
i=I+1
x
i
) = 1
except for a negligible probability, the prover can
calculate a and b to satisfy (10) except for a
negligible probability. He then calculate d =
g
−b
mod n.
3. The prover proves his knowledge of x, r, a and d
to satisfy (4), (5), (6) and (7). More precisely, he
proves x, r and the integers he obtains, a and d, to
satisfy
c
1
= g
x
1
h
r
1
mod n
1
c
a
= d
x
g mod n
VULNERABILITY OF A NON-MEMBERSHIP PROOF SCHEME
421
Note that
d
x
g = (g
−b
)
x
g = g
1−bx
= g
a(
∏
I−1
i=1
x
i
)(u−u
′
+x
I
)
∏
m
i=I+1
x
i
As the order of G
f
is φ(n)/4, u − u
′
is a multiple
of the order of g. So (10) implies
d
x
g = g
a(
∏
I−1
i=1
x
i
)x
I
∏
m
i=I+1
x
i
= (g
∏
m
i=1
x
i
)
a
= c
a
mod n.
So the prover can satisfy (4) and (5). Moreover,
x ∈ Z
2
l
and as shown in (Li et al., 2007) with a
non-negligible probability a calculated as above
is in Z
2
l
. So the prover can satisfy (4), (5), (6) and
(7) with a non-negligible probability.
As u − u
′
is not a multiple of the order of g
1
, u −
u
′
+ x
I
and x
I
are completely different messages in
the commitment algorithm, and so soundness of non-
membership proof in (Li et al., 2007) is compromised.
The two attacks above are not always successful,
but only succeed with a non-negligible probability.
Moreover, the attack against membership proof can-
not work with any x in X
k
but need to specially choose
x as the sum of an integer in X and a multiple of u−u
′
.
To overcome these two limitations, two more pow-
erful attacks are proposed in the following, attacking
membership proof and non-membershipproof respec-
tively.
Algorithm 3. The second attack against membership
proof.
1. A prover randomly chooses x in X
k
but not in X
and publishes c
1
= g
x
1
h
r
1
mod n
1
where r is ran-
domly chosen form Z
n
1
.
2. The prover calculates z = x
−1
mod u − u
′
and
c
x
= c
z
mod n. Note that gcd(x,u−u
′
) = 1 except
for a negligible probability so c
x
can be success-
fully calculated except for a negligibleprobability.
3. The prover proves his knowledge of x, r and c
x
to
satisfy (1), (2) and (3). As
c
x
x
= c
zx
= c
1+v(u−u
′
)
mod n
where v is an integer and the order of c is φ(n)/4,
a factor of u− u
′
,
c
x
x
= c mod n
is satisfied. As x ∈ X
k
⊂ Z
2
l
, (1), (2) and (3) are
satisfied. Namely, the attack is successful.
Algorithm 4. The second attack against non-
membership proof.
1. A prover randomly chooses x in X and publishes
c
1
= g
x
1
h
r
1
mod n
1
where r is randomly chosen
form Z
n
1
.
2. The prover randomly chooses a in Z
2
l
and cal-
culates z = x
−1
mod u − u
′
. Note that gcd(x,u−
u
′
) = 1 except for a negligible probability so z can
be successfully calculated except for a negligible
probability.
3. The prover calculates d = (c
a
/g)
z
mod n.
4. The prover proves his knowledge of x, r, a and d
to satisfy (4), (5), (6) and (7). As
d
x
g = (c
a
/g)
xz
g = (c
a
/g)
1+v(u−u
′
)
g mod n
where v is an integer and the order of c is φ(n)/4,
a factor of u− u
′
,
d
x
g = c
a
mod n
is satisfied. As x ∈ X ⊂ Z
2
l
and a ∈ Z
2
l
, (4), (5),
(6) and (7) are satisfied. Namely, the attack is suc-
cessful.
The last two attacks compromise soundness of
membershipproof and non-membershipproof respec-
tively. They are more effective and harmful than the
first two attacks.
4 CONCLUSIONS
The non-membershipproof scheme in (Li et al., 2007)
is insecure and vulnerable to various attacks. Its
soundness is unreliable and its applications must be
very cautious.
REFERENCES
Camenisch, J., Chaabouni, R., and Shelat, A. (2008). Effi-
cient protocols for set membership and range proofs.
In ASIACRYPT ’08, pages 234–252.
Camenisch, J. and Lysyanskaya, A. (2002). Dynamic ac-
cumulators and application to efficient revocation of
anonymous credentials. In CRYPTO ’02, pages 61–
76.
Li, J., Li, N., and Xue, R. (2007). Universal accumulators
with efficient nonmembership proofs. In ACNS ’07,
pages 253–269.
SECRYPT 2010 - International Conference on Security and Cryptography
422
